Craig Brozefsky
Craig BrozefskyHave my #stepca working, and certs for imap installed. However, they are not working on iOS and i suspect itβs because iphone cert policies donβt like root certs with 10 year life spans. Works in MacOS just fine.
Craig BrozefskyInspired by @jwildeboer@social.wildeboer.net I spent the evening learning all about #smallstepca and getting a nix module working with support for my web and mail services. I crossed a threshold of comprehension where the role of the step-ca server, the cli client, and Provisioners clicked into place.
The key insight is that the server is an API for frequent certificate operations, like renewal, with limits and templates for a provisioner. I am still using a mental model of long lived certificates, after decades of dealing with them and the fallout of expiry and failed renewal in a context where one has not automated so much of the certificate lifecycle.
I still get a bit alarmed at the thought of 16 hr effective lifetimes of certificates, combined with refusal to renew after expiry. Having to re-provision so many certs and having the CA be a point of failure for all your communications seems like a big risk for questionable gains.
It also means entire communication fabrics freezing or falling apart if a CA is attacked or simply bitrots away, or a critical comms path is shut down for an extended period.
Perhaps these worries will dissipate once I learn more about provisioning tokens and hope to make onboarding and issuing new certs trivial.
I want this to be easy enough for the equivalent of an enthusiast to operate like they would a network file share or other consumer grade home computing infrastructure.
Kudos to the smallstep team and others who have advanced the state of this art.
Craig BrozefskyGiving #librewolf a try, since I ran into an annoying issue where Firefox had no means of forgetting the transport security header settings for one of my homelab domains.
It's already winning by not requiring me to disable a half dozen options that leak all my activity to the Mozilla paymasters