Hello Andreas
On 13.05.2021 13:05, Andreas Fink wrote:
Jeroen Massar wrote on 13.05.21 10:46:
On 2021-05-13 11:29, Andreas Fink wrote:
Hello all,
I need to get some SSL certificates for some african country operations and i can unfortunately not use letsencrypt for this.
Any reason? What are your requirements?
the mailserver I use, does not support ACME setup. I can only do old style SSL certificate requests. for the webserver its not an issue though.
I am using LEGO [1] for ACME with DNS, so none of the servers need to support ACME. I am using it with an own dedicated dynamic sub-zone through RFC2136, but there is also a large selection of DNS providers to choose from (if the domains are hosted there). From the FreeBSD Ports [2] I got lego.sh (which I had to modify a little bit for DNS), which does weekly checks through periodic. For the also needed deploy.sh I wrote my own doing a copy of the new certificates into an timestamped directory and sending me an email with instructions on how to run a third script for doing all the distribution for that certain certificate, which then does copy (scp) the new certificates to the systems / services needed, and also restart services. Something I do not wanted to do unattended.
[1] https://github.com/go-acme/lego [2] https://cgit.freebsd.org/ports/tree/security/lego
Would ZeroSSL (https://zerossl.com) who also do ACME work?
No. ACME is the issue. And ZeroSSL is hosted in the US on cloudflare with a cloudflare SSL certificate. So by definition not DSGVO conform as NSA could theoretially infiltrate cloudflare to infliltrate all my certs etc. etc. It might be far fetched but since snowden, we know that many things we considered far far far fetched are not anymore.
As Jeroen already mention, the private key of the certificate is always in your own possession, if you are doing it right. At least a long time ago the already mention domestic CA did create a private key for you, if you did not supply a CSR (certificate signing request) during the process, this may have changed. LEGO (or probably any other ACME client), does create a local private key and CSR on your own system. Then only the CSR is sent to the CA, and the CA will sign this with their private key and return the certificate back to you. If the certificate does not match with the key, it will not work and clients will report an error as they are unable to decrypt the content which was encrypted from your private key.
So in general I do not see any problems regarding GDPR with using any CA (even in the US). But there are more things which could be done to get a better privacy for the user visiting your sites. As currently browser are doing OCSP (Online Certificate Status Protocol) request back to the issuing CA on each visit to your site, you should also look into implement OCSP Stapling. Your site will regularly fetch this OCSP answers (they are valid for quite a while) from the CA, and then return them to the client browser on first visit.
PS: Also consider to set CAA entries in DNS to only allow your chosen CA to create certificates for you.
Best regards, Fabian