While my team manages hundreds of thousands of private certificates for other purposes, our current SSL certificate service is not great. It was recently inherited from another group and is basically:
- Subscribers read some documentation and follow steps to generate a CSR
- Subscribers then fill out an online request form and paste that CSR into it
- My team reviews the request manually. Our current “Domain Validation” process is to check that the subscriber’s billing code matches the related billing code in the company’s DNS system.
- My team then submits the request to the appropriate CA and issues a certificate.
- We email the certificate back to to the subscriber along with documentation on how to install and configure it.
- The subscribers ignore the documentation, frequently configure TLS incorrectly, and often come back to us for support.
We see two classes of SSL certificate subscribers in our company:
- Those that run on permanent servers (conventional platforms) and need a tool to manage certs
- Those that live on ephemeral servers (cloud platforms) and would prefer to call a straight API to get a cert
The first group of subscribers is currently our most common. The sheer number of manual steps and the amount of support costs involved are what make automated solutions like Boulder so attractive. Subscribers would use ACME-compatible clients and point them to our own Boulder instances. As I understand it, we need all that Boulder goodness on top of cfssl to make the validation, enrollment, configuration and renewal automation work. Is that right?
The http-01 and tls-sni-01 Domain Validation processes you implemented in Boulder are light years better than our current process. I don’t see any tools in our company that could help us do validation better. We are one company, but we are composed of hundreds of different groups of systems and people.
Today we make the second group of subscribers follow the same manual process as everyone else. It is for this group that I see a solution like cfssl fitting. We can put its API behind our API Gateway and let the latter handle authentication and authorization.
Thanks for your time