This is a pretty nice guide, though it misses some steps I'd consider important. If you're making a CA for internal use today, I would highly encourage you to use Name Constraints. Name Constraints allow you to specify that your CA will only be used to sign domains you pre commit to. This means you can add your internal CA to your system trust stores on all of your corporate systems and not worry about it being abused to MITM your employees connections to the wider internet. (If that is a feature you'd like to have, I would be happy to expound further on why that's a bad idea)
I'm giving a workshop in a few weeks at Bsides Seattle[1] about this - Pick up a Yubikey and come play with PKI with me.
Given that traffic inspection for user and service proxies rely on MITM traffic inspection for many forms of IPS/IDS beyond basic SNI signature detection - I'd love to hear more!
I'm not necessarily suggesting it should be mandatory - I remember the pain of introducing Zscaler about a decade ago and the sheer number of windows apps that simply broke, leaving a trail of complex PAC files - but not enough to warrant off the solution.
I would assume the half way house would be to leave Name Constraints off your offline CA, maintain (at least) one intermediary with constraints turned on for regular certificate lifecycle management for internal certs, and a dedicated intermediary that is only used to generate the MITM certs?
This is a really neat solution, as finding a really good enterprise-y solution that meets the needs for hardware encryption, offline ca's, all that good stuff is really hard to find that doesn't suck. Active Directory Certificate Services has long been the defacto for windoze shops still, but a security nightmare, and most every 3rd party solution really isn't much better, not to mention stupidly expensive. Almost all are tailored toward replacing ADCS, but do so in hardly "good" ways.
I'm helping a customer test Yubikey HSM2's to bootstrap an enterprise PKI, this is both cheaper and better for all the normal Yubikeys, SBC, and a nice open solution to make use of them. I really wish I saw this a few months ago.
It's a shame it's 2025 and still so elusive to find good PKI solutions out there for both big and small businesses. This sort of project keeps some hope alive!
This is a pretty nice guide, though it misses some steps I'd consider important. If you're making a CA for internal use today, I would highly encourage you to use Name Constraints. Name Constraints allow you to specify that your CA will only be used to sign domains you pre commit to. This means you can add your internal CA to your system trust stores on all of your corporate systems and not worry about it being abused to MITM your employees connections to the wider internet. (If that is a feature you'd like to have, I would be happy to expound further on why that's a bad idea)
I'm giving a workshop in a few weeks at Bsides Seattle[1] about this - Pick up a Yubikey and come play with PKI with me.
[1]https://www.bsidesseattle.com/2025-schedule.html
> why that's a bad idea
Given that traffic inspection for user and service proxies rely on MITM traffic inspection for many forms of IPS/IDS beyond basic SNI signature detection - I'd love to hear more!
I'm not necessarily suggesting it should be mandatory - I remember the pain of introducing Zscaler about a decade ago and the sheer number of windows apps that simply broke, leaving a trail of complex PAC files - but not enough to warrant off the solution.
I would assume the half way house would be to leave Name Constraints off your offline CA, maintain (at least) one intermediary with constraints turned on for regular certificate lifecycle management for internal certs, and a dedicated intermediary that is only used to generate the MITM certs?
ZScaler is an absolute horror for a software developer also in charge of ops.
I found things got a lot better when the proper apis and terraform zpa/zia coverage happened
Still many foot guns, but I’ve much the same feelings for most of the tooling in the proxy/vpn space.
If the client actually supports the optional name constraint extension. Is it acceptabley widespread nowadays?
Yes, Chrome introduced support in mid 2023, and it's now well rolled out. Firefox has had support for longer.
https://issues.chromium.org/issues/40685439
Author here. I agree this is an important feature for a CA. I'll try to add it.
Just added it.
This is a really neat solution, as finding a really good enterprise-y solution that meets the needs for hardware encryption, offline ca's, all that good stuff is really hard to find that doesn't suck. Active Directory Certificate Services has long been the defacto for windoze shops still, but a security nightmare, and most every 3rd party solution really isn't much better, not to mention stupidly expensive. Almost all are tailored toward replacing ADCS, but do so in hardly "good" ways.
I'm helping a customer test Yubikey HSM2's to bootstrap an enterprise PKI, this is both cheaper and better for all the normal Yubikeys, SBC, and a nice open solution to make use of them. I really wish I saw this a few months ago.
It's a shame it's 2025 and still so elusive to find good PKI solutions out there for both big and small businesses. This sort of project keeps some hope alive!