boulder icon indicating copy to clipboard operation
boulder copied to clipboard

Published 20 hours ago verified publisher icon letsencrypt

Reduce need for checked-in keys in repo

Open jsha opened this issue 1 year ago • 2 comments
trafficstars

We have some keys that we check in to the repo for test purposes. Since it occasionally happens that someone grabs one of those keys and tries to use it for real(!) we'd like to use fewer of them, and in particular avoid producing new ones (since the existing ones are blocked already).

Specifically for test/grpc-creds/ and test/redis-tls we have a couple of options:

  • Modify minica to support reusing the same key for all end-entity certificates
  • Modify minica to make ecdsa keys (so it's faster) and generate keys and certs on demand like we do with the issuance hierarchy

jsha avatar Dec 08 '23 17:12 jsha

There's this PR that will fix the second bullet point.

pgporada avatar Dec 08 '23 17:12 pgporada

That PR is only for roots; we'd need some additional work for end-entity certificates.

jsha avatar Dec 08 '23 18:12 jsha

Subsumed by https://github.com/letsencrypt/boulder/issues/7476

aarongable avatar May 15 '24 22:05 aarongable