Craig Brozefsky@craigbro@infosec.exchange
Inspired by @jwildeboer@social.wildeboer.net I spent the evening learning all about #smallstepca and getting a nix module working with support for my web and mail services. I crossed a threshold of comprehension where the role of the step-ca server, the cli client, and Provisioners clicked into place.
The key insight is that the server is an API for frequent certificate operations, like renewal, with limits and templates for a provisioner. I am still using a mental model of long lived certificates, after decades of dealing with them and the fallout of expiry and failed renewal in a context where one has not automated so much of the certificate lifecycle.
I still get a bit alarmed at the thought of 16 hr effective lifetimes of certificates, combined with refusal to renew after expiry. Having to re-provision so many certs and having the CA be a point of failure for all your communications seems like a big risk for questionable gains.
It also means entire communication fabrics freezing or falling apart if a CA is attacked or simply bitrots away, or a critical comms path is shut down for an extended period.
Perhaps these worries will dissipate once I learn more about provisioning tokens and hope to make onboarding and issuing new certs trivial.
I want this to be easy enough for the equivalent of an enthusiast to operate like they would a network file share or other consumer grade home computing infrastructure.
Kudos to the smallstep team and others who have advanced the state of this art.