Previous: Mon 1 Apr 2024
Next: Mon 15 Apr 2024
§Tue
some rough working notes for eon’s capability interface to provision TLS certificates:
- modified the client to read the capability from a file and write the certs to a directory.
- todo: persistence
- account key
- wildcard certs
- should we do CSR on the client or server?
- should we do renewals on the client or server?
- let’s store everything on the server
- renewals keep the same private key?
- no, new certificate
renewals:
- studryrefs for capabilities mapped to domains
- keep track of expiry
update interface
- do we mimic DNS UPDATE? yes
- do we pass binary blob? no
todo
- provisioning a cert for root
- https://github.com/mirage/ca-certs-nss
- https://github.com/suri-framework/castore
- multiple domains
- SAN
- CN
- extensions
§Thu
done:
- subject alternative name
- generate caps for every authoritative domain
- client exits
- capc multiple domains
- delegation persist capability
- persistence
NB ocaml-letsencrypt doesn’t support revocation or deletion