1.8 KiB
1.8 KiB
ADR 003 - PKI
Date
- Feb/23/2026
- First documentation
- Mar/06/2026
- Add expiry date observation way
Status
- Accepted
Context
- All communications except loop-back, should be encrypted
- ssh, and TLS communications needs key and certificates
- Public CA never issues for private domain, '.internal'
- Automate issuing and renewing certificates
- Revocation is not needed in this single and small environment.
Consideration
Automate protocol
- JWK/JWT provisioner
- It is hard to manage pre-shared secret values than ACME (Especially nsupdate)
- authorized_keys
- When the nodes are increased, it is hard to manage authorized_key.
- SSH ca.pub allow all the certificates signed by ca key, so it is not needed to manage authroized_keys from each hosts.
Revocation
- CRL/OCSP/OCSP-stappling
- All long-term certificates are managed manually
- All short-term certificates are managed by ACME
- When the certificates are leaked, it is easier to change intermediate CA itself
Decisions
- Operate private CA
- Root CA (Store on coldstorage) - 10 years
- Intermediate CA (Online server as Step-CA) - 5 years
- SSH CA - No period
- Manage certificates with two track
- ACME with nsupdate (using private DNS) for web services via Caddy - 90 days
- Manual issuing and managing leaf certificate for infra services for independency - 2.5 years
- All manual issuing leaf certificate expiry date is observed by x509-exporter on infra vm
- Manage SSH certificates
- *-cert.pub for host (with -h options)
- *-cert.pub for client (without -h options)
Consequences
- Private PKI is operated
- Private SSH CA is operated
- All external/internal communication is encrypted as TLS re-encryption. (E2EE)