rolling expired certs
This wasn’t the post I intended to write today, but then I noticed that the certificate for www.tedunangst.com had expired, and repairing that became a prerequisite for getting anything else done. At the time, my first snarky thought upon discovering Firefox wouldn’t let me connect to my site anymore was “Oh, hurray, don’t I feel safe.” Then I went through the update nonsense and thought a bit more seriously about it.
My cert expired after a year because that seems to be the thing to do. I imagine there’s some nebulous threat model where somebody stole my server key and has been impersonating me for the past six months, but now they can’t. Although, if they stole the old key, they can probably steal the new key. I suppose we do this because revocation doesn’t work, but a six month half life is a long time to sit exposed.
Upon discovering the cert was expired, I had to make a new one. This involves running a bunch of arcane openssl commands, typing in a bunch of passwords, and answering a bunch of senseless questions. Does anybody really care what city my certificate is being issued for? (I can only imagine the awesome that would result from a browser refusing a connection because the certificate was issued to a startup in San Francisco but the server is hosted somewhere in Oregon.) Because I am oh so security conscious, I keep my CA key password protected and on a system I don’t regularly log in to. Wouldn’t want anybody to steal that key.
Except the mere act of accessing that key today and installing the new cert substantially increased my window of exposure. Perhaps, unbeknownst to me, somebody in the past stole my CA key. It was useless to them without the password; but now, today, I finally entered that password. Now not only is my web server cert compromised, but all the other (few) services signed with that CA key are as well. Oh, hurray, don’t I feel safe.
I could of course put the secret key into some HSM, but I’m not ready for that level of frustration yet. Nor does it really matter. In the window of exposure where I was signing my new cert, what I was inevitably exposing was my signing capability. Even without access to the key’s bits, Mr. sneaky pants attacker could have signed any number of other certificates. Unless I went full air gap, and I’m really not ready for that level of frustration.
In the final analysis, expiring and rolling a new cert traded one nebulous threat for another, probably worse, nebulous threat. Rigidly following best practices is too much bother, so I took some shortcuts, when not even attempting to play the game may have been the better move. To that end, the new cert is good for 1200 days instead of a single year, so now I’ll have a luxurious 600 days to regret my decision when it all goes sideways.