|
|
|
|
|
|
by duskwuff
2247 days ago
|
|
|
> The technology side is super easy if you know what you are doing. There are some nontrivial technical aspects which will be required if you want any certificate stores (browsers, operating systems, etc) to take you seriously. Running `openssl ca` a few times won't cut it. You'll need a honest-to-god HSM to store your root keys in, a witnessed procedure for generating those keys, and some ironclad policies on access to those keys. This isn't something you can half-ass and fix later; if there's any doubt about who might have access to the root keys, the CA will never be trusted. |
|
|