Certificate Infrastructure

Overview

The infrastructure uses a two-tier PKI architecture separating public and internal certificate management.

PKI Architecture
Figure 1. Enterprise PKI Architecture

Core Principle: Internal must stay internal. Public-facing services use Let’s Encrypt; all internal services use Vault PKI.

Architecture Summary

Tier Authority Domain Use Case

Tier 1: Public

Let’s Encrypt

*.domusdigitalis.dev

Guest portals, sponsor portals, external APIs

Tier 2: Internal

HashiCorp Vault

*.inside.domusdigitalis.dev

ISE, switches, workstations, BYOD, pxGrid

Tier 1: Public Services (Let’s Encrypt)

Infrastructure

  • Certificate Manager: certmgr-01

  • DNS Provider: Cloudflare (DNS-01 challenge)

  • Key Type: ECDSA P-384

  • Renewal: Automatic via systemd timer

Managed Domains

Domain Purpose

guest.domusdigitalis.dev

ISE Guest Portal

sponsor.domusdigitalis.dev

ISE Sponsor Portal

Quick Commands

# Check certificate status
ssh certmgr-01 "sudo certbot certificates"

# View renewal logs
ssh certmgr-01 "sudo tail -50 /var/log/letsencrypt/letsencrypt.log"

# Dry-run renewal test
ssh certmgr-01 "sudo certbot renew --dry-run"

Tier 2: Internal Services (Vault PKI)

Certificate Hierarchy

DOMUS-ROOT-CA (RSA 4096, 20 years: 2026-2046)
└── DOMUS-ISSUING-CA (RSA 4096, 5 years: 2026-2031)
    ├── Server Certificates (1 year)
    ├── Workstation Certificates (1 year)
    ├── BYOD Certificates (90 days)
    ├── pxGrid Certificates (1 year)
    └── Automation Certificates (24-72h)

Vault PKI Roles

Role Use Case TTL

domus-server

ISE, Keycloak, NAS, internal servers

1 year

domus-client

Linux workstation EAP-TLS 802.1X

1 year

domus-byod

BYOD mobile device certificates

90 days

domus-pxgrid

pxGrid client authentication

1 year

domus-automation

Ephemeral automation certificates

24-72h

Quick Commands

# Load Vault credentials
dsource d000 dev/vault

# Check Vault status
netapi vault status

# Issue server certificate
netapi vault pki-issue webserver.inside.domusdigitalis.dev

# Issue workstation certificate (EAP-TLS)
netapi vault pki-issue $(hostname).inside.domusdigitalis.dev --role domus-client

Deprecated: AD CS

AD CS on home-dc01 (HOME-ISSUING-CA) is deprecated and will be decommissioned by 2026-07. All new certificates must be issued from Vault PKI.

The DC retains AD services (authentication, DNS, LDAP) but no CA role.

Secrets Integration

Certificate operations integrate with dsec:

# Public services (Tier 1)
dsource d000 dev/cloudflare   # Cloudflare API token for DNS-01

# Internal services (Tier 2)
dsource d000 dev/vault        # Vault root token and unseal keys
dsource d000 dev/network      # ISE API credentials for cert import

Comprehensive Documentation

For detailed runbooks and procedures, see domus-infra-ops:

  • PKI Strategy: domus-infra-ops:runbooks/pki-strategy.adoc

  • Vault Certificate Deployment: domus-infra-ops:runbooks/vault-cert-deployment.adoc

  • DOMUS PKI Ceremony: domus-infra-ops:runbooks/domus-pki-ceremony.adoc

  • BYOD Certificate Management: domus-infra-ops:runbooks/byod-certificate-management.adoc

  • ISE Certificate Troubleshooting: domus-infra-ops:runbooks/ise-certificate-troubleshooting.adoc

Related Pages