💁🏻‍♂️ Introduction

🎯 Purpose

The confirm CA service is a «certificate authority» based on the smallstep CA.

  • Certificate management
    Issues and manage SSL certificates for your environment.
  • Integration
    Easily integrate the CA into your existing environments.
  • Automation
    Thanks to extensive APIs, the CA is especially valuable for automation.
  • Credentials
    Valuable in environments where short-lived, machine-issued certificates replace static credentials.

✨ Features

The confirm CA service provides the following features:

  • Docker
    The CA is deployabe in an on-premise Docker container, and works out of the box.
  • Reverse proxy
    The CA is runnable behind an existing reverse proxy, such as Traefik.
  • ACME
    Automated deployment of certificates via ACME protocol.
  • APIs
    Addition APIs are provided to automate more complex certificate workflows.
  • Templates
    Templates can be used to deploy server, as well as client certificates.

See also

The CA service also fits nicely with CertBob, which can be used to automate client certificate management for employees.

🤷🏻‍♂️ Rationale

Secure communication is a critical factor in any IT infrastructure — and ours is no exception.

A wide range of solutions exist for protecting private services, for example:

  • IP address allow-/block-listing

  • VPNs, or other «secure tunnel» solutions

  • Simple authentication & authorisation

  • Key-based authentication & authorisation

  • SSL certificates

Each of these approaches comes with its own trade-offs.

After careful evaluation, we’ve decided to go with SSL certificates — specifically mTLS (mutual TLS). mTLS offers several benefits that align well with our requirements:

  1. SSL certificates are secure

    • They provide stronger protection than simple credentials such as passwords

    • Strong encryption can be enforced at the protocol level

  2. SSL certificates are personal

    • They are bound to an individual identity and not meant to be exchanged

    • No more sharing of credentials between users or systems

  3. SSL certificates are short-lived

    • They expire automatically, especially useful when someone leaves the company, or a certificate is suspected to be compromised

    • The risk exposure is significantly lower than with «static credentials» that rarely change

  4. SSL certificates are widely accepted

    • Operating systems and a broad range of software natively understand mTLS

  5. Standard SSL connections

    • mTLS works over standard SSL/TLS connections

    • No dedicated links or VPN tunnels are required