|
|
|
|
|
|
by HiHelloBolke
2878 days ago
|
|
|
One way we reduce the risk of CA key compromise is to intermediaries for signing most of our stuff. Our implementation has Vault that's using intermediates certs to sign user's ssh keys, these ssh cert are short lived and we use it for signing in to ephemeral app hosts. One day we had bit of time skew because of bad ntpd & lo we couldn't login because of our short lived certs :-) |
|
|