Hello Andreas
On 13.05.2021 13:05, Andreas Fink wrote:
Jeroen Massar wrote on 13.05.21 10:46:
On 2021-05-13 11:29, Andreas Fink wrote:
Hello all,
I need to get some SSL certificates for some african country operations
and i can unfortunately not use letsencrypt for this.
Any reason? What are your requirements?
the mailserver I use, does not support ACME setup. I can only do old
style SSL certificate requests.
for the webserver its not an issue though.
I am using LEGO [1] for ACME with DNS, so none of the servers need to
support ACME. I am using it with an own dedicated dynamic sub-zone
through RFC2136, but there is also a large selection of DNS providers to
choose from (if the domains are hosted there). From the FreeBSD Ports
[2] I got lego.sh (which I had to modify a little bit for DNS), which
does weekly checks through periodic. For the also needed deploy.sh I
wrote my own doing a copy of the new certificates into an timestamped
directory and sending me an email with instructions on how to run a
third script for doing all the distribution for that certain
certificate, which then does copy (scp) the new certificates to the
systems / services needed, and also restart services. Something I do not
wanted to do unattended.
[1] https://github.com/go-acme/lego
[2] https://cgit.freebsd.org/ports/tree/security/lego
Would ZeroSSL (https://zerossl.com) who also do ACME work?
No. ACME is the issue. And ZeroSSL is hosted in the US on cloudflare
with a cloudflare SSL certificate. So by definition not DSGVO conform as
NSA could theoretially infiltrate cloudflare to infliltrate all my certs
etc. etc. It might be far fetched but since snowden, we know that many
things we considered far far far fetched are not anymore.
As Jeroen already mention, the private key of the certificate is always
in your own possession, if you are doing it right. At least a long time
ago the already mention domestic CA did create a private key for you, if
you did not supply a CSR (certificate signing request) during the
process, this may have changed. LEGO (or probably any other ACME
client), does create a local private key and CSR on your own system.
Then only the CSR is sent to the CA, and the CA will sign this with
their private key and return the certificate back to you. If the
certificate does not match with the key, it will not work and clients
will report an error as they are unable to decrypt the content which was
encrypted from your private key.
So in general I do not see any problems regarding GDPR with using any CA
(even in the US). But there are more things which could be done to get a
better privacy for the user visiting your sites. As currently browser
are doing OCSP (Online Certificate Status Protocol) request back to the
issuing CA on each visit to your site, you should also look into
implement OCSP Stapling. Your site will regularly fetch this OCSP
answers (they are valid for quite a while) from the CA, and then return
them to the client browser on first visit.
PS: Also consider to set CAA entries in DNS to only allow your chosen CA
to create certificates for you.
Best regards,
Fabian
_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
