Hacker Newsnew | past | comments | ask | show | jobs | submit | wejn's commentslogin

Svalboard is the next generation Datahand.

In other words, a keyboard with zero hand movement, optical switches, and mostly querty layout (or Dvorak, Colemak, if you want it).

Unlike DataHand, it’s available, hackable, and the finger positioning is more fine grained.


Why don’t you get a svalboard.com then? (It’s a commercialized next gen of lalboard)


Amazing! Me not looking for a keyboard in the last four months in the only reason why.


Yup. Been running my own for past two decades, still works.


Probably the reason its working is because its been running for two decades.


This isn’t strictly true.

If you want to uphold the name constraints in your CA cert, mark the field as critical. At that point clients that don’t understand them should fail validation of the CA cert.


Thanks, I've incorporated the name constraints into the article now. (it is indeed supported by Apple and FF just fine)


Very nice!


"only" out of scope.

But based on the comments here, I guess you could use the smallstep CA with Nitrokey HSM if that's your jam...


Well, the title says: "Running one's own root Certificate Authority in 2023".

"Running a CA" is pretty much dominated by managing certificates? Including distribution and revocation - not just issuing?


Because:

1. ACME is a dumpster fire prone to mitm attacks.

2. without HSM (an additional investment) it's super bad idea to host your root CA signing key somewhere.


This is an internal, airgapped network.

We stood up the root CA, created the certificate, imported it, then destroyed the root CA. It’s a common security practice. Root CA can then never be compromised


If you destroy the CA, how do you issue new certs via ACME?


Sub CAs or Intermediate CA

The root CA certificate is used to establish trust in the chain of trust, but it is not directly involved in the certificate issuance process once the trust has been established.


That's really neat, thanks for the pointer. ;)


And yet, my homegrown root CA cert with 3650 days of validity hums along just fine...

[edited: but since I also want to have host certs that are on various internal servers, the short validity applies to them]


A friend of mine runs dns01 thusly: https://ipng.ch/s/articles/2023/03/24/lego-dns01.html


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: