colecmac at protonmail.com colecmac at protonmail.com
Thu Oct 1 22:38:37 BST 2020
- - - - - - - - - - - - - - - - - - -
For my gemini capsule's tls setup, I just used my Let's Encrypt
certificate since I already had it set up for my web site. However,
after reading deeper into server setup with gemini, I discovered that
I'm probably adding a lot of extra request overhead by using a
certificate from a CA instead of self-signed. Now my problem is that if
I change out the certificate, then people that have previously visited
my site may think it is compromised because the certificate changed and
most clients are TOFU. Should I change out the certificate or is it fine
to leave it as is?
I had the same problem for my capsule, gemini://makeworld.gq. What I didwas wait until the Let's Encrypt cert expired for a clean transition, andthen created my own small 5-year cert. See my gemlog post for details onhow to generate these:
gemini://makeworld.gq/gemlog/2020-07-06-openssl.gmi
There is also the gemcert tool:https://tildegit.org/solderpunk/gemcert
As an additional question, if I was writing a more advanced gemini
client, should I validate cert chains if they're availaible or only use
TOFU on the fingerprint and ignore chains entirely? The spec just says
to validate however you want, but what's the community's recommendation?
Only validate the certificate in the chain that applies to the host you'revisiting, ignore all the others. Most servers do not send chains anyway,as it adds needless extra bytes. But that does not mean fingerprints shouldn'tbe used, you can still take the fingerprint of the last cert in the chain.
Cheers,makeworld