Chris's Wiki :: blog/sysadmin/LetsEncryptDurationGood Commentshttps://utcc.utoronto.ca/~cks/space/blog/sysadmin/LetsEncryptDurationGood?atomcommentsDWiki2018-03-16T15:42:36ZRecent comments in Chris's Wiki :: blog/sysadmin/LetsEncryptDurationGood.By Twirrim on /blog/sysadmin/LetsEncryptDurationGoodtag:CSpace:blog/sysadmin/LetsEncryptDurationGood:dad81de74efd50cdd4f7dc754bcec024e80ce678Twirrim<div class="wikitext"><p>Along similar lines, one thing I've been arguing for for a while at various places I've worked has been to make infrastructure patching for teams a weekly requirement, instead of monthly. It's not that I'm particularly interested in a weekly cadence, it's just that that passes an inflection point with management and ops staff. It goes from an inconvenient, maybe partially automated monthly chore to "We must fully automate it!".</p>
<p>That then gets teams to a position where patching should be able to happen at the drop of a hat, should, say, another Heartbleed or Shellshock happen.</p>
<p>side note: One place I worked, I carefully wrote notes about every place I had to replace the wildcard SSL certificate, and how to do it. I missed some and updated the docs when they were discovered. Two years later, new renewal happened and half my instructions no longer applied, some of what I had was now incorrect due to upgrades, and I had a half dozen other places I now needed to update the certificate.</p>
</div>2018-03-16T15:42:36ZBy Chris Siebenmann on /blog/sysadmin/LetsEncryptDurationGoodtag:CSpace:blog/sysadmin/LetsEncryptDurationGood:3d07d764dfbede247f30aa63c21296f7a3c372a8Chris Siebenmann<div class="wikitext"><p><a href="https://isea.utoronto.ca/services/pki-certificates/">The university's current version</a> is provided
through Comodo. I haven't dug into the details of what would be possible,
because by the time it became readily available to us we'd already started
shifting towards Let's Encrypt.</p>
<p>(<a href="https://support.cs.toronto.edu/">We</a>'ve gone through a number of
CAs over the years, partly because <a href="https://utcc.utoronto.ca/~cks/space/blog/web/SSLCAFailure">stuff has happened to some of them</a>.)</p>
</div>2018-03-14T12:28:28ZFrom 193.219.181.219 on /blog/sysadmin/LetsEncryptDurationGoodtag:CSpace:blog/sysadmin/LetsEncryptDurationGood:c052dea47295b5e3e390ed29f4d86a38f545408bFrom 193.219.181.219<div class="wikitext"><blockquote><p>Right now they're managed through a website and our university-wide authentication system</p>
</blockquote>
<p>Is it perhaps the DigiCert service? We've been using that for our university (especially for the free EV). They do have a "CertCentral API" which could be used for automation just as ACME is, although I still haven't gotten around to finishing writing the client tools <em>cough</em></p>
</div>2018-03-14T07:02:12Z