🔐 Don't let expired certs take down your cluster!
Automate Kubernetes certificate renewal with kubeadm + cron + best practices. Zero-downtime, production-tested.
#Kubernetes #Security #Automation #PKI #DevOps
🔗 https://devopstales.github.io/kubernetes/k8s-cert-renewal/
Today I published an update on the #Canonical supported #upki project, which brings browser-grade Public Key Infrastructure to Linux through the efficient #CRLite data format, with the core revocation engine now functional and available to test!
Beyond current progress, this post explores broader integration, performance, and future capabilities like Certificate Transparency enforcement and Merkle Tree.
This is all part of the effort to increase the resilience of #Ubuntu machines by default, but I hope it has a wider benefit on the Linux ecosystem going forward!
Last year, I announced that Canonical had begun supporting the development of upki, a project that will bring browser-grade Public Key Infrastructure (PKI) to Linux. Since then, development has been moving at pace thanks to the tireless work of Dirkjan and Joe. In this post, I’ll explore the progress we’ve made, how you can try an early version, and where we’re going next. Architecture & Progress As a reminder, upki’s primary goal is to provide a reliable, privacy-preserving, and efficient cer...
One of the things that I find really interesting about #privacy and #identity is that privacy is often at odds with authorization and #accountability .
It seems to me that a world of perfect privacy, meaning no identity information is even provided, let alone stored or used, even if limited to just online spaces, is fundamentally at odds with providing accountability to people.
Stuff like asymmetric cryptography can provide non-repudiation through public key-private key stuff, but that in and of itself does not provide accountability, requiring the full #PKI ecosystem to function properly, and even then accountability is not guaranteed if no identity information is used.
And that is not even accounting for privileged access and #trust
It seems incredibly hard to balance as much privacy as possible to everyday people without compromising the whole entire chain of trust and authorization that the internet and basic services needs to function
And that provides the necessary excuses that identity capitalism and authoritarian regimes would want to keep our data for nefarious uses. That has been the purpose of the internet long before it was the internet, and continue to do so after the internet as we know it has died off, probably and sadly.
If anyone knows a good resource that talks about this balance of privacy vs trust and similar, I would love to read more about it.
Most “certificate automation” stops at issuance. That’s how you renew a cert and still serve the old one.
With the CertKit agent, we can now do all three. Renew certs, deploy files, restart services, verify the correct certs run in production.
CertKit can now deploy certificates directly to your servers. The CertKit Agent is a lightweight service for Linux, Windows, and Docker that detects your software, writes certificates where they need to go, and restarts your services automatically.
Диагностика ошибки клиентов Microsoft Configuration Manager CCM_E_NO_TOKEN_AUTH
В этой статье мы обсудим диагностику и подходы к решению ошибки подключения клиентов к серверу ConfigMgr при использовании PKI. Вы узнаете: - как понять, какая именно ошибка скрывается за 403 Forbidden - где хранится информация IIS о CDP и как вручную проверить сертификат клиента - как отключить в IIS верификацию сертификатов по CRL
Как «вшить» модули в NCALayer, если штатный установщик не работает
На практике NCALayer нередко устанавливается «успешно», но без нужных модулей: ЭЦП не определяется, внешние системы не работают, а повторная установка не помогает. Разбор конфигураций, Java-параметров и логов — путь рабочий, но не всегда оправданный по времени.
https://habr.com/ru/articles/994250/
#NCALayer #ЭЦП #НУЦ_РК #PKI #Java #OSGi #системное_администрирование #электронная_подпись #Windows
🥩🥩Mr T-Bone tip!🥩🥩[New from Tech Community]
Ever wondered how to keep your root certs safe? Dive into ADCS Offline Root CA best practices! PKI legends, get in here!
#cybersecurity #PKI #MVPBuzz #Security #MicrosoftTechCommunity
👉👉 https://tip.tbone.se/sYOAt3
[AI generated, Human reviewed]
Every server managing its own certificates made sense when you had three servers. But with web farms, load balancers, and VPN appliances, you end up with rsync cron jobs distributing certs everywhere. CertBot doesn't scale. Especially at 47-day lifetimes.
Your nginx doesn't need to understand ACME. Your mail server doesn't need DNS credentials. Your VPN appliance can't even run CertBot. They just need a certificate file. CertKit handles validation centrally and lets your servers subscribe to certificates.
The slides for my presentation "Please sign your artefacts. WITH WHAT?" at #FOSDEM in the Security devroom are now available for viewing. A video will be coming soon.
https://fosdem.org/2026/schedule/event/RFFD3M-sign-your-artefacts/
devopstales
Jon Seager
Nagô (JJ)
CertKit
Habr
Mr T-Bone
Oej
Rachel