Certificate Request Delegation to personel

glatzert · August 11, 2016, 8:03pm

Hello everyone,

we are one of the largest Universities in Germany and we started discussing about, if it was possible to move to Let’s encrypt with a lot of our public certificates.
This would roughly be about 700 (Sub)-Domains, which have to be managed.

Now the real question: How would someone delegate the public private key pair needed for operations with let’s encrypt?
Is there a Scenario where I derive keys from the “master key” or something like that? Or would I pass the key to everyone, who Needs Access to that? Or would I Setup a machine, where only “certificate Managers” would have Access?

Is there a recommended way to delegate the work to a Team or something?

Thanks for any advice and Information on the Topic

leader · August 11, 2016, 8:37pm

It’s not quite clear what you mean by “delegation” in this case. What exactly the person in question should be able and should not be able to do?

Additionally, it is not only about keys - if someone should be issuing or revoking certificates for particular domain or group of domains, that means you need to have a system in place that would allow you to control and separate access rights to any means of verification for those domains (access to file system for HTTP verification, access to DNS records for DNS verification, etc).

system · September 10, 2016, 8:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.