On 2/24/13 12:23 AM, Vernon Schryver wrote:
> I wonder if DANE could have prevented Microsoft's recent difficulty
> with expired SSL certs.
> https://www.google.com/search?tbm=nws&as_q=microsoft+azure+ssl
> Instead of an annual bout with internal purchase order and invoice red
> tape and with red tape at the CA, could Microsoft have automated the
> generation of certs and fingerprint TLSA RRs just as many automate
> their generation of zone signing RRSIG RRs?
> (Never mind that microsoft.com lacks RRSIG RRs.)
I started working on something like this using cfengine. creating the
certificates, checking the expiry and regenerating a certificate is
fairly trivial[1]. I didn't get around to automating the publication of
the TSLA as the requirements changed a little. However this was the high
level process i was thinking of.
* When certificate is due to expire in 30 or less days generate a new
one (with a different name $cert.new
* Add the new TLSA record to zone
* have a cron job that queries for the TSLA periodically
* if there are 2 TLSA records
- check website to see which cert is currently in use
- check for .new file and validate that it is the other cert
* create some state. i.e. NEW TLSA added at X
* if (current time - X) > TTL
- move new certificate to the correct location
- restart web server
- remove old TSLA
Like i said i didn't get around to implementing this so im sure there
well be some flaws
Regards
John
[1]http://pastebin.com/31impqkc
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
