58 lines
1.8 KiB
Markdown
58 lines
1.8 KiB
Markdown
# ADR 003 - PKI
|
|
|
|
## Date
|
|
|
|
- Feb/23/2026
|
|
- First documentation
|
|
- Mar/06/2026
|
|
- Add expiry date observation way
|
|
|
|
## Status
|
|
|
|
- Accepted
|
|
|
|
## Context
|
|
|
|
- All communications except loop-back, should be encrypted
|
|
- ssh, and TLS communications needs key and certificates
|
|
- Public CA never issues for private domain, '.internal'
|
|
- Automate issuing and renewing certificates
|
|
- Revocation is not needed in this single and small environment.
|
|
|
|
## Consideration
|
|
|
|
### Automate protocol
|
|
|
|
- JWK/JWT provisioner
|
|
- It is hard to manage pre-shared secret values than ACME \(Especially nsupdate\)
|
|
- authorized_keys
|
|
- When the nodes are increased, it is hard to manage authorized_key.
|
|
- SSH ca.pub allow all the certificates signed by ca key, so it is not needed to manage authroized_keys from each hosts.
|
|
|
|
### Revocation
|
|
|
|
- CRL/OCSP/OCSP-stappling
|
|
- All long-term certificates are managed manually
|
|
- All short-term certificates are managed by ACME
|
|
- When the certificates are leaked, it is easier to change intermediate CA itself
|
|
|
|
## Decisions
|
|
|
|
- Operate private CA
|
|
- Root CA \(Store on coldstorage\) - 10 years
|
|
- Intermediate CA \(Online server as Step-CA\) - 5 years
|
|
- SSH CA - No period
|
|
- Manage certificates with two track
|
|
- ACME with nsupdate \(using private DNS\) for web services via Caddy - 90 days
|
|
- Manual issuing and managing leaf certificate for infra services for independency - 2.5 years
|
|
- All manual issuing leaf certificate expiry date is observed by x509-exporter on infra vm
|
|
- Manage SSH certificates
|
|
- *-cert.pub for host \(with -h options\)
|
|
- *-cert.pub for client \(without -h options\)
|
|
|
|
## Consequences
|
|
|
|
- Private PKI is operated
|
|
- Private SSH CA is operated
|
|
- All external/internal communication is encrypted as TLS re-encryption. \(E2EE\)
|