Hello, welcome to the Friday, April 16th, 2021 edition of the Santernet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Today I wrote a little post and probably don't really do the topic justice, but about setting up your own internal certificate authority.

I see really two big reasons why you want to do this. First of all, yes, you could get free

certificates from sites like Let's Encrypt, but the problem with that is that these sites keep

certificate transparency logs.

So essentially, you're advertising your internal host names to the world by retrieving these

certificates.

And we actually have seen some scans immediately following having a certificate issued.

Secondly, having your internal certificate authority, of course,

gives you more freedom in how you exactly authenticate to that authority, how you verify

what host names you would like to validate using that internal certificate authority.

So the big piece here is that in the old days, you could essentially

sort of set this up with a bunch of shell scripts and then issue yourself certificates that

were valid for a very long time. I often used to do something like 10 years, which was fine for

these internal certificates. I could deploy them and then essentially forget about them.

But browsers lately have become more picky and will not accept certificates that are valid

for more than 13 months.

So now you have to actually maintain these certificates.

And of course, the protocol that we all love from Let's

Encrypt is the ACMI protocol that often allows us to automate that process. Putting all of this

together, let me to a small step. Small step is a certificate authority that I believe

...