Encrypt CA key with password #2
Comments
|
Minica generated key and cert won't be valid on other than localhost machines. There's virtually no risk if they made it into the wild, yes? |
|
This key can be used to attack only this one machine, yes. But this isn't same as "no risk", at least for owner of that machine. |
|
I understand. I really didn't say no risk at all. I said virtually no risk. If someone gains level access to the file system on the host storing the local project key.pem I'd say the least of my worries would be MIM attacks. But everyone has to evaluate risk vs reward vs defense against disclosure/intrusion. |
mrtvfuencxozd
referenced
this issue
Jan 14, 2019
The parameter was not being used (i.e. even if autoCreate == false the CA would be created).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While minica is designed for local use it's CA key still can be stolen and used for MitM attack targeted on minica user. Please make it possible to manually control which certificates are signed using this CA by adding optional encryption of CA key with password.
BTW, just curious, why did you decide to use Go instead of writing shell script to just execute openssl? Is certificates generated by minica somehow differs from openssl ones, or there some other differences?
The text was updated successfully, but these errors were encountered: