Void operates a private certificate authority based on CloudFlare's
cfssl tool. The configuration data for this CA lives in the
directory of the infrastructure repo.
The certificates can be generated using the
They should be copied to the appropriate location in the
ansible/secret directory after being generated. Once copied, use
bin/shred.sh in the
CA/ directory to clean up.
When the option exists to obtain a certificate dynamically from LetsEncrypt, this option should be used. Additionally any time a certificate will be visible to an end user this certificate must have a valid trust-root. Since Void's CA isn't trusted by anything automatically user facing certificates MUST be issued by an external CA.
Void's CA should be used for infrastructure needs that require certificates for authentication, or long lived certificates for channel integrity. Void Operations should be consulted before adding any new certificate configurations or adjusting the CA configuration.