If you are doing it right your CA private key is on a different machine without network connectivity.
-----Original Message----- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Giancarlo Razzolini Sent: Friday, July 31, 2015 9:34 AM To: Peter Hessler; li...@wrant.com Cc: misc@openbsd.org Subject: Re: Maintaining CAs not in cert.pem Em 31-07-2015 03:07, Peter Hessler escreveu: > this is a real problem for real people. Which was pretty much solved with PKP [0]. As I mentioned, custom CA's have their uses, but in the end, they are just one more thing waiting to bite you in the ass. You can pretend to have a decent OPSEC for a while, but in the end you CA private key will end up being on the same machine your certs are being used. With PKP you can disregard the CA completely, but your certificate will be recognized on pretty much every device. It's nice that the discussion spawned a change in the way how the certs.pem is handled on system upgrades, but moving it to examples is not a solution (shouldn't even be discussed ironically). The bottom line is, want your own CA, deal with it. [0] http://tools.ietf.org/html/rfc7469