People don't talk about this enough. A CA is more than just a server or HSM, some scripts and a web UI. It's almost *all* about process and procedure, and as technical people we tend to ignore this.
Typical CA failures happen when people make mistakes. It is extremely rare that an automated process goes wrong.
As demonstrated by DigiNotar (keys left in the devices/machines).
Slightly OT: can we have a quick headcount of which client deployment tools people are using to deploy their private CA, ideally annotated with any platforms it *doesn't* support?
This would be good to now, and to document on the wiki.
Speaking of which, Alan, I know the bootstrap script is, well, for demo purposes, but it does get used rather a lot for deployments. You may eventually get a replacement for bootstrap from either myself (as proxy) or someone else who thought it was inadequate for production purposes. :-) With Regards Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.