I typed it like that with the slim hope that someone would misinterpreted it, lol.
I typed it like that with the slim hope that someone would misinterpreted it, lol.
No VNC
I don’t mean them specifically, but that to me managing access to such a CA cert’s keys is security nightmare, because if I somehow get an infection, and it finds the cert file and the private key, it’ll be much easier for it to make itself more persistent than I want it.
If you can’t resist installing random shit on your CA server then sure. No attacker will really try to compromise a home CA so you really only have to worry about viruses which should be kept extremely far from the CA anyways. And obviously follow all other security precautions like good passwords or even passwordless with certificate login (remember that you have a CA server so you can easily issue authentication certificates and enroll them on a smart card or Yubikey)
The private key should also be in TPM (or a HSM like we do at work, but that’s a bit extreme for home use) and be non-exportable. Managing access to the private key isn’t really that hard, it should just never ever leave the CA server and you are pretty much good to go.
You can also do a two tier PKI with an offline CA and an issuing CA like I’m planning to do for an AD DS, AD CS, AD FS lab.
Personally I think wildcard certificates sound like a bigger security problem than a CA since that certificates will likely be placed on a lot of servers and if just a single one gets compromised the attacker can impersonate whatever subdomain they feel like. With a CA server you could issue individual certificates to each server/service
Private CA servers are very common and is actually a security positive. I’m not saying that everyone needs one at home, but you shouldn’t be afraid to setup one if you want too.
What do you mean?
Of course their own CA can sign certificates for whatever the fuck it wants, but it’s their CA so why would they do that?
You obviously shouldn’t trust anyone else’s CA unless you actually trust it. But if you don’t trust your own CA what’s the point of having a CA?
P.S. I’m guessing OP doesn’t actually have a CA and is just using simple self signed certificates without any private CA that has signed them.
You also need money, materials, and space to build housing though and I doubt all immigrants are carpenters, electricians, plumbers, and all the other professionals needed to build homes.
Moode maybe.
Yeah, absolutely!
I actually like the change.
It’s just that it will create a lot of work for us (especially for me and my colleague) short term. I would very much appreciate it if Google actually bothered to give an exact timeline (optimally a few months or a year in advance).
You are supposed to be tracking when they expire and then renew/replace them before they expire.
PSA: All public certificates (private internal certificates won’t be affected) will have a lifetime of only 90 days soon. Google is planning to reduce their lifetime in 2024 but considering that they haven’t given an update on this since early this year, I doubt it will happen this year.
But it will happen soon.
This will be a pain in the ass for my workplace because we primarily use Digicert and manually renewing certificates every 90 days is just impossible for use. We are currently looking into a way to switch to letsencrypt or similar.
Afaik if you actually need something you will get it fairly quickly.
That’s why the healthcare system can be slow. We use triage heavily.
It’s possible that the passwords want through an old ass cobalt system or something that forced everything to be capitalized so to solve that they made everything non case sensitive.
But even that sounds insane as the passwords should have been hashed.
Yeah, that’s also fair. I have a tendency to overcomplicate things like this when all I wanted was a simple service.
Fair enough.
But personally I would recommend trying to setup wireguard if your router doesn’t have it integrated. It’s just so much faster than OpenVPN (usually the only built in option).
Moving to another port isn’t a bad idea though. It gives you cleaner logs which is nice.
You don’t have to host the VPN on the router. You can also host it on a separate machine or the same one that’s running the Minecraft server.
Well, you do you. But I doubt anyone would hire you. 🤷
If you don’t think your salary is enough you should consider switching employer.
If you never document your shit I’m surprised you don’t get fired.
You are paid to benefit the company though. It’s literally your job.
That’s illegal though.