Need to use server in production

[alaahil]

We are considering to use the server in production along with local CA implementation. We are aware that when we start the server we have the notification not to use it in Production mode. Is it possible to clarify what are the risks in doing so, in order to try to find a workaround?

[toddgaunt-gs]

Hey @alaahil, this implementation of EST wasn't ever written to be used in a production environment as is. The client is intended to be used with EST server implementations, however the EST server in this repository is only meant for testing/development purposes for the EST client. The server was not designed to be run as a production CA.

The warning is there to emphasize that if anyone does take this code and run it in a production environment, it is up to them to review the code and ensure that the system they are running it in is secure as a proper CA implementation needs to be. The risks of using this code in production is that you would likely be the first to be doing so with this implementation, so any bugs or security flaws that may exist in this codebase will need to be managed and patched by your team if you discover any.

[alaahil]

Thank you for the very quick response. Is there any package or repository that you recommend to use on the server side?

[toddgaunt-gs]

If you're looking for an off-the-shelf solution, I unfortunately don't have anything to recommend. This implementation could be used as a base and hardened but as the license says :smile:

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

[alaahil]

Alright perhaps a good start. is there a documentation somewhere about the usage and how to use my own CAs?

[toddgaunt-gs]

Depends on what this is going to be used for, but openssl is a good start. I would recommend looking for advice within your company on this issue.

[alaahil]

I mean is there documentation of this package usage other than the readme?

[toddgaunt-gs]

Other than the README and what is documented in code comments, there isn't anything else no.

[alaahil]

Ok thank you I will bother you with one last question. Can I assume that the server is implementing [RFC7030] correctly and I worry about hardening?

[toddgaunt-gs]

I hope it is, but I'm not willing to provide any guarantees as I wasn't the original author :)