====== The Quay Certificate Authority ======

The current versions of certificates and CRLs can be found here:

  * **CA root:** https://quay.net/pub/ca/root-q2.crt
    * **Root CRL:** https://quay.net/pub/ca/root-q2.crl

  * **Intermediate signing certificate:** https://quay.net/pub/ca/sign-s2.crt
    * **Intermediate CRL:** https://quay.net/pub/ca/sign-q2.crl

===== General comments =====

Generally speaking, [[https://letsencrypt.org/|Let's Encrypt]] is a better solution than using a self-hosted certificate authority in 2020.  For most users this is what I recommend.

Let's Encrypt is stable, easy to configure, and trusted in all major browsers, however its primary drawback is that it can be very awkward to use with domains that are not on the public Internet.  Therefore, I run a certificate authority to sign x509 certificates for use internally as [[http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security|HSTS]] is implemented for the quay.net domain.  This upshot of this configuration on the public domain is that in order to access HTTP resources on my internal subdomain I require trusted TLS certificates.

I'm in the process of deprecating this page and moving the actual configuration to a GitLab project rather than static notes.  In the future this page will only contain specific information related to my local usage.

The GitLab project can be found here: [[https://gitlab.com/gmobrien/quayCA|The Quay X.509 Certificate Authority]]

===== Local usage notes =====

Work in progress.