Andrew Ayer
@agwa.name
Bootstrapped founder of SSLMate (https://sslmate.com). Making SSL certificates easier and doing #WebPKI and #CertificateTransparency research on the side. Blog: https://www.agwa.name He/him
Integrating with Google Cloud is a pick 2 of 3 situation:
1. No long-lived keys
2. Easy setup
3. Safe from suspension
I'm really disappointed in Google for artificially disincentivizing the secure options. 4/4
1. No long-lived keys
2. Easy setup
3. Safe from suspension
I'm really disappointed in Google for artificially disincentivizing the secure options. 4/4
November 3, 2025 at 2:49 PM
Integrating with Google Cloud is a pick 2 of 3 situation:
1. No long-lived keys
2. Easy setup
3. Safe from suspension
I'm really disappointed in Google for artificially disincentivizing the secure options. 4/4
1. No long-lived keys
2. Easy setup
3. Safe from suspension
I'm really disappointed in Google for artificially disincentivizing the secure options. 4/4
Alternative one is have the customer create a service account and share a key with SSLMate - easy but less secure because long-lived keys are bad.
Alternative two is OpenID Connect which is secure but Google has made unnecessarily hard to set up. 3/4
Alternative two is OpenID Connect which is secure but Google has made unnecessarily hard to set up. 3/4
November 3, 2025 at 2:49 PM
Alternative one is have the customer create a service account and share a key with SSLMate - easy but less secure because long-lived keys are bad.
Alternative two is OpenID Connect which is secure but Google has made unnecessarily hard to set up. 3/4
Alternative two is OpenID Connect which is secure but Google has made unnecessarily hard to set up. 3/4
SSLMate's solution (we create a service account for each customer) is easy AND secure and worked great for 5 years until we started getting hit with suspensions. 2/4
November 3, 2025 at 2:49 PM
SSLMate's solution (we create a service account for each customer) is easy AND secure and worked great for 5 years until we started getting hit with suspensions. 2/4
Reposted by Andrew Ayer
Turns out Alpine Linux has a copy of the same script from curl! I've raised an issue in their issue tracker: gitlab.alpinelinux.org/alpine/ca-ce...
ca-certificates bundle incorrectly excludes root CAs with CKA_NSS_SERVER_DISTRUST_AFTER (#6) · Issues · alpine / ca-certificates · GitLab
The build script in ca-certificates incorrectly omits CA roots with a "DistrustAfter" attribute. See this fix in curl: https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c#diff...
gitlab.alpinelinux.org
January 7, 2025 at 10:16 AM
Turns out Alpine Linux has a copy of the same script from curl! I've raised an issue in their issue tracker: gitlab.alpinelinux.org/alpine/ca-ce...