0

I am creating a self-hosted CA for my internal home network as a hobby project and to learn something new. I'm using Smallstep's open-source step-ca and step CLI.

After creating the CA, the next step is to, of course, get the root_ca.crt onto my devices that will be interfacing with it. Smallstep documentation provides two methods of doing so (bolding is mine)

If you are using your certificate authority for TLS in production, explicitly configuring your ACME client to only trust your root certificate is a better option. You will see how this method works with an example below. You can find several other examples here.

If you are simulating Let’s Encrypt in pre-production, installing your root certificate is a more realistic simulation of production. Once your root certificate is installed, no additional client configuration is necessary.

I find these two paragraphs a little at odds with each other. The first option is "better" but the second is "more realistic".

Why is configuring the ACME client to only trust my root certificate the better option?

Example using certbot: sudo REQUESTS_CA_BUNDLE=<path to root certificate> certbot certonly -d <domain> --server <URL of my CA>

Improve this question

1 Answer 1

Reset to default
0

The page also states

Most ACME clients connect to Let’s Encrypt’s CA by default.

Configuring the ACME client to trust your root certificate, and your root certificate only provides some extra guarantees. If your Root CAs private key is secure, the request will fail if the server is compromised and using a certificate from a different CA.

Improve this answer
3
  • Thank you for the reply. Would you mind elaborating a little further? I read the same thing in the documentation that "Most ACME clients connect to Let's Encrypt's CA by default" but I am lacking some subtext to this. I don't understand how the default CA is relevant in this case since I am using my own CA and specify this using the --server <my CA URL> flag.
    – Iceape
    Commented Jun 1, 2022 at 7:22
  • And I understand that the two main choices are to tell certbot to trust ONLY my private CA's root certificate OR to put my root certificate in the OS's certificate store and let certbot find it there. If I follow what you are saying, in the case of the latter, there's a possibility a bad actor could insert their own CA certificate with malicious intent and certbot could use it, allowing them to perform a MITM attack on my servers?
    – Iceape
    Commented Jun 1, 2022 at 7:26
  • @Iceape > in the case of the latter, there's a possibility a bad actor could insert their own CA certificate with malicious intent and certbot could use it, allowing them to perform a MITM attack on my servers? This is exactly the contingency that we prevent by explicitly specifying the trusted CA.
    – Eero Aaltonen
    Commented Jun 2, 2022 at 8:26

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .