Self-hosted certificate authority
·1 min
I recently setup a private CA, i.e. certificate authority, using Step CA. Here are a few things I learnt:
- Step CA generates the following at the start:
- Root certificate and corresponding private key.
- Former should be distributed to required client devices.
- Latter is super-secret and should ideally be kept offline.
- Intermediate certificate and corresponding private key.
- Latter is a secret but not super-secret and supposed to be kept online.
- These two are used to generate the end certificates that services should use. These certificates will have short expiry (such as 1 to 90 days).
- If compromised, can be thrown away and a new {certificate, private-key} pair can be generated using the root pair.
- Root certificate and corresponding private key.
- The {certificate, private-key} pair generates new certificates that are used by the service. On the client side, the chain of trust, all the way back to the root certificate, allows it to setup a proper TLS connection with the service.
Why Step CA and not regular X.509 certificates?
- The latter would be static whereas the former creates short-lived certificates. Otherwise, both would have worked with Traefik which is the reverse proxy I use.