@blequerrec Il y a donc des gens qui n'ont pas lu https://www.bortzmeyer.org/tester-expiration-certifs.html ?

#TLS #certificat #X509 #PKIX

Tiens, envoyer un certificat #PKIX au serveur depuis un programme #Python est bien plus simple que je ne pensais. (C'est peut-être pour ça qu'il n'y a aucune documentation.)

#TLS

Et ce matin, une Autorité de Certification basque a cassé le site Web de La Poste.

#mondialisation #X509 #PKIX #vieDeLinternet

J'aime tant les certificats numériques que je trouve cette idée, créer automatiquement plein de certificats ayant une très courte durée de vie, sympa.

#RFC 8739: Support for Short-Term, Automatically-Renewed (#STAR) Certificates in Automated Certificate Management Environment (#ACME)

https://www.bortzmeyer.org/8739.html

#PKIX #X509

What I ended up doing was publish #PKIX-TA assertions for the #LetsEncrypt root certificate in #DNSSEC, and hope that it doesn't change too often. Because they don't bother publishing a policy. This means anyone who can fool #LetsEncrypt can publish fake certificates for my domain, but at least random governments and enterprise #TLS #MITM boxes can't.

DANE support is basically nonexistent. By default, #Certbot generates a new key every time it renews a certificate, meaning #DANE-EE and #PKIX-EE requires manual intervention every single time. Since a few months back, you can tell #Certbot to keep the same key forever, but should you want to do key rollover less frequently you get to handle #DANE-EE and #PKIX-EE manually anyway.