Comment on Do you run a private CA? Could you tell me about your certificate setup if you do?
MigratingtoLemmy@lemmy.world 6 months agoThank you for your comment. My apologies in replying so late.
After reading a bit more and thinking about my setup, I think I will run intermediate CAs. Specifically, because I want to set up an ad-hoc mTLS setup, I might keep intermediate CAs for different classes of devices/different purposes. I will need to delve deeper into it, but for now, I think I have a grasp on the idea I need to implement, in which case, intermediate CAs will likely be a better idea. Thank you.
Thanks for the material, it would seem that I have a lot of reading left to do :)
deepdive@lemmy.world 6 months ago
Hey don’t worry :)
Yeah, this could be a time saver in case you should/need to revoke certificates in your homelab setup ! Imagine changing the rootCA store on 20 devices … Ugh !
Happy reading/tweaking ! Have fun !
MigratingtoLemmy@lemmy.world 6 months ago
Hmm, I think I’m a bit confused now.
Let’s say I have 2 intermediary CAs: one to create certificates for my servers (going to be reverse-proxies + a couple of VMs), and one for my clients (Android devices, maybe a linux machine).
I’m planning to rotate both CAs on a bi-weekly schedule, and rotate the root CA every 6 months. In which case, wouldn’t I have to insert new certificates into my servers every time I rotate the intermediary “server” CA, and the same for my clients when I rotate the “client” CA? If I don’t do that, won’t I get SSL errors every time I try to access something because the certificate expired?