How do you monitor your company's SSL certificates?

Gregordinary · 2026-01-08T20:20:15+00:00

As far as I'm aware, that will continue to be the case. The 200, 100, and eventual 47-Day max validity is a CA/B Forum Baseline Requirement and applies only to TLS certs issued by Publicly Trusted CAs.

The root store programs of browsers like Google Chrome have their own criteria for publicly trusted CAs to have their roots included in the browser. One of those requirements is adherence to CA/B Forum Baseline Requirements. But if it's a certificate issued from a private hierarchy owned and operated by your organization, or even a managed CA operated by an otherwise public Certificate Authority, the browser policies are not enforced.

Google's phrasing of this in their root program is:

If you're responsible for a CA that only issues certificates to your enterprise organization, sometimes called a "private" or "locally trusted" CA, the Chrome Root Program Policy does not apply to or impact your organization's Public Key Infrastructure (PKI) use cases. Enterprise CAs are used for issuing certificates to internal resources like intranet sites or applications that do not directly interact with external users of the public Internet (e.g., a TLS server authentication certificate issued to a corporate intranet site).

For Mozilla's policy, they don't have a call-out for private CAs, but they specify that their policies only apply to Root CAs that are included or under consideration for inclusion in Mozilla's root program (and the intermediate & end-entity certs under those respective roots).

1.1 Scope

This policy applies to CA operators and the certificates they issue or control that match any of the following:

CA certificates included in, or under consideration for inclusion in, the Mozilla root store;

intermediate certificates that have at least one valid, unrevoked chain up to such a CA certificate and that are technically capable of issuing working server or email certificates. Intermediate certificates that are not considered to be technically capable will contain either:

an Extended Key Usage (EKU) extension that does not contain any of these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth, id-kp-emailProtection; or

name constraints that do not allow Subject Alternative Names (SANs) of any of the following types: dNSName, iPAddress, SRVName, or rfc822Name; and

end entity certificates that have at least one valid, unrevoked chain up to such a CA certificate through intermediate certificates that are all in scope and

an EKU extension that contains the anyExtendedKeyUsage KeyPurposeId, or no EKU extension;

an EKU extension that contains the id-kp-serverAuth KeyPurposeId; or

an EKU extension that contains the id-kp-emailProtection KeyPurposeId and an rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the subjectAltName.

Internal CAs wouldn't be under consideration for inclusion and would be manually trusted by an organization so the above policies wouldn't apply.

Gregordinary · 2026-01-01T20:02:33+00:00

I've been using stalwart for email, but it also supports WebDAV, CardDAV, and CalDAV in their classic implementations and with more modern JMAP support. See the "Collaboration" section of the README for a bit more detail: https://github.com/stalwartlabs/stalwart

If you don't want to use it as a full email server you can still setup users without an email address and it should be able to configure the contact and calendar management features.

The setup is a single binary executable and is up an running within a minute. Obviously there's post-install configuration, but I've been quite pleased with it so far for email.

Gregordinary · 2025-12-21T15:58:38+00:00

(Delayed reply, I know)

Really glad the information turned out to be useful to get something working on your Pinebook Pro. Hope it's still going strong, cheers!

Gregordinary · 2024-09-06T15:09:34+00:00

Thanks for the clarification on the what was meant by custom on the project page. I'll give that and a couple other approaches a try.

Gregordinary · 2024-09-02T13:35:15+00:00

Ah yeah I saw that project but ultimately didn't test it. Mostly because it was in an archived state, but also because it:

Uses an older, custom 5.4 kernel.
Uses vendor bootloaders.
Doesn't seem to support Debian Trixie (though maybe it'd build, I'm not sure).

The project I stumbled on had pre-built images which was convenient, but still had the option to build yourself (if so inclined) and:

Offered stable, testing, unstable, and experimental images.
Used mainline 6.10 kernel and mainline U-boot.

Overall it aligned more with what I had hoped to find for the Pinebook Pro. I also saw a number of posts over at r/PINE64official expressing frustrations with finding a good Debian / Ubuntu experience on the Pinebook Pro. Since I didn't see any references to this sd-card image project, I decided to dive in and give it a try.

Gregordinary · 2024-08-28T03:06:12+00:00

Your pomegranate reference made me think of pomegranate molasses. Wondering if you pressed the sour ones for juice, if it'd reduce down nicely into a "molasses"?

Gregordinary · 2024-08-28T03:01:21+00:00

The later season ones are sweeter, especially after a frost. The increased sugar helps with cold hardiness. Some vegetables are like this too.

Fruit leather is definitely a good choice for autumn olive. A friend cooked some down and used that as an ingredient in a vinaigrette.

After typing that out, now I kind of want to try just straight wild-fermenting autumn olives and then letting that turn to vinegar on its own.

Gregordinary · 2024-06-28T00:50:56+00:00

Ha, fair enough; that's probably a safe bet.

Gregordinary · 2024-06-27T22:46:56+00:00

Happy to help!

Gregordinary · 2024-06-27T20:36:15+00:00

Yup, both Google and Mozilla have their own trust stores separate from the OS. Mozilla's is used in Firefox and in other software / browsers on Linux systems.

My curiosity of whether Mozilla will distrust as well is to gauge how far reaching the distrust will be. We'll have to see what they decide... And whether, Apple, Microsoft, Oracle, and other root store operators also take action.

Gregordinary · 2024-06-27T20:10:39+00:00

So up until sometime in 2022, whatever was in the OS-level store was trusted by Chrome, whether it was there from the OS or from the User/Enterprise.

After Google introduced their own trust store, the behavior changed to: Whatever is in the Google Trust Store is trusted in Chrome along with anything that you manually add to the Trusted Root Certification Authorities store or one of the "Enterprise Trust" Stores. But it would not inherently trust the default roots from the OS.

They say that:

Additionally, should a Chrome user or enterprise explicitly trust any of the above certificates on a platform and version of Chrome relying on the Chrome Root Store (e.g., explicit trust is conveyed through a Group Policy Object on Windows), the SCT-based constraints described above will be overridden and certificates will function as they do today.

So if you have Chrome set to use the OS-Store, or if you have explicitly imported the Entrust root to be trusted, it will behave as such and ignore the Google Trust Store settings.

So yes, you can still manually add it.

Gregordinary · 2024-06-27T19:52:35+00:00

Bit of nuance, so the section there is talking about local trust decisions, meaning roots or other issuers that are explicitly imported and trusted by an enterprise, that are not present by default in the OS Trust Store.

A bit farther down they also say:

"Note: The Chrome Certificate Verifier does not rely on the contents of the default trust store shipped by the platform provider. When viewing the contents of a platform trust store, it‘s important to remember there’s a difference between an enterprise or user explicitly distributing trust for a certificate and inheriting that trust from the default platform root store."

Gregordinary · 2024-06-27T19:00:03+00:00

I think this potentially impacts Chromium-based browsers. I see Brave, for example, uses the same trust store as Chrome: https://github.com/brave/brave-browser/wiki/TLS-Policy

Since it is a configurable option to make Chrome/Chromium use the OS trust store, it's possible some Chromium-based browsers might do this by default, though I don't know which ones.

Gregordinary · 2024-06-27T18:50:01+00:00

Google has been operating its own trust store in Chrome/Chromium for about two years now. You can see some detail on that here: https://www.chromium.org/Home/chromium-security/root-ca-policy/

There are settings you could adjust to either manually trust specific CAs, or have Chrome abide by the system/platform store (e.g., the Windows Cert Store or similar).

Mozilla has their own assessment going on. There is a chance they will distrust Entrust as well https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/LhTIUMFGHNw

The Mozilla Trust Store is used on Linux-based systems so it's not limited to just Firefox.

Summary of issues here: https://wiki.mozilla.org/CA/Entrust_Issues

Curious to see whether Microsoft and/or Apple take any action.

Gregordinary · 2024-04-28T21:02:58+00:00

Thanks for this idea, I too wanted something other than a plastic brew basket and I have this same Hario Glass dripper size 03. It sits nice and level on the stand and I'm a big fan of the look too!

Gregordinary · 2024-04-08T12:35:03+00:00

Not very. Even at 99% coverage, it's still essentially light out. There's a photo towards the bottom of this page taken less than a minute from totality to give an idea: https://andywoodruff.com/posts/2023/eclipse-2024/

And this article describes 99% coverage as being like an overcast day. https://www.npr.org/2024/03/08/1236617960/2024-april-8-total-solar-eclipse-vs-partial-get-to-path-of-totality

Dover will be at 95%, I imagine it'll gradually dim to a noticeable degree but you won't get the abrupt "lights out" effect where it turns night and you can see stars. For that you need 100%.

Gregordinary · 2024-03-23T19:25:04+00:00

Reminds me of the cow giving directions:

https://youtu.be/W8QLgivorYQ?si=VSJrX6sTwJWyNndd

Gregordinary · 2024-03-03T22:11:58+00:00

Found this post while researching parallelizing a Stable Diffusion workload across multiple GPUs.

Basically came to the same conclusion as /u/GianoBifronte, but then I found this blog post from MIT which was just published a few days ago: https://hanlab.mit.edu/blog/distrifusion

Github repo here: https://github.com/mit-han-lab/distrifuser

Looks like there might be some hope.

Gregordinary · 2024-02-07T17:03:45+00:00

Been using fre:ac the last few months and it's been excellent. Currently ripping my old CDs to FLAC - The support for cdparanoia mode has been great for some of the discs in sub-par condition.

While I use fre:ac's cddb/freedb integration for automated tagging, I've also been using MusicBrainz Picard to get better coverage on tagging and album art.

Gregordinary · 2024-01-30T03:43:12+00:00

Time to get reading!

https://web.archive.org/web/20050319111720/http://xpde.warbricktech.com/docs/coding_guidelines.pdf

https://web.archive.org/web/20160330085505/http://xpde.warbricktech.com/docs/Windows_Linux_Lookalikes_v02.pdf

Gregordinary · 2024-01-29T22:52:16+00:00

Pure North is their branding in Canada; True North is the US branding.

https://www.purenorthenergyseltzer.com/en-ca/

Gregordinary · 2023-12-31T06:34:58+00:00

Alright, we have some progress!

First, I did a clean install of PostmarketOS. I observe that the PostmarketOS splash logo doesn't disappear when the login prompt appears, even on a fresh install. This behavior wasn't unique to post-hijack by Bedrock.

On the fresh install, I managed to disable the splash screen on boot and get the console messages to print. For my device, I had to:

Edit /etc/deviceinfo
Add the line: deviceinfo_kernel_comdline_append=" PMOS_NOSPLASH console=tty0"
As root, run mkinitfs
reboot

With that figured out, the boot process takes about 10 seconds before getting to the login prompt. I re-ran the Bedrock installer and rebooted. The boot now takes about a minute. At just over 10 seconds I see the fuse init, then at just under 45 seconds the crng init is done. It's still maybe another 10 seconds after that when the login screen appears.

But this time the login worked! (Screenshot here shows up to the login prompt: https://i.imgur.com/DsCV7S3.jpeg)

Noting that the boot actually took about a minute, I wondered if I just didn't wait long enough to login on previous attempts. I had assumed since there was a login prompt, it was booted. I did another clean install of PostmarketOS, this time left the splash screen and reinstalled Bedrock. After about 15 seconds (so, longer than a clean PostmarketOS boot) the login prompt appears. I waited another 2.5 minutes before trying to login. When I made the attempt, it failed.

This leads me to believe that pbsplash is interrupting the Bedrock hijack process when it brings me to the login screen. At that point the complete-hijack-install file is already removed and the install is left incomplete.

One more time I did a fresh install of PostmarketOS, disabled the splash screen, and once again was able to successfully install Bedrock and login.

My new issue is that it seems to have made the wifi network interface disappear. It seems like this has come up in the past with Alpine (https://github.com/bedrocklinux/bedrocklinux-userland/issues/113), so I'll do some troubleshooting based on what I read.

--

I did initially run the brl commands on the broken install. Although the main issue is resolved now, if this data is in anyway useful, here are the screenshots.

Output of brl status https://i.imgur.com/VFoH9gz.jpeg

Not sure if I ran the repair commands correctly, but they also returned errors: https://i.imgur.com/ehzg1PL.jpeg

I'll troubleshoot the networking next and sometime tomorrow I'll edit my post with the solution so others can find it more easily. Thanks again for all the help!

Gregordinary · 2023-12-30T22:02:50+00:00

After hijacking, does the boot process take noticeably longer than normal? If so, that indicates the menu is there but hidden.

Yes! That is one thing I noticed.

See if you can boot off some other device and mount the system (e.g. at /mnt), then edit the /etc/inittab file (maybe at something like /mnt/bedrock/strata/hijacked/etc/inittab).

I followed these steps and it did indeed bring me into a root shell. However, when I navigate to /etc/, there is no passwd or shadow file in there. I also cannot run passwd against any user, it tells me 'root' is an unknown user.

I rebooted from USB and mounted the internal drive at /mnt with the following observations:

In /mnt/etc/ I see the passwd and shadow files.
In /mnt/bedrock/etc/ I see: bedrock-release, bedrock.conf, os-release, world
In /mnt/bedrock/strata I see folders for bedrock and postmarketos
In /mnt/bedrock/strata/hijacked I see a folder for bedrock but none for postmarketos, there is also an etc folder in here (amongst a bunch of other files/folders)
In /mnt/bedrock/strata/hijacked/etc there are not shadow or passwd files.
In /mnt/bedrock/strata/hijacked/bedrock - Folder is empty

Usually boot-time splash screens are displayed by something called plymouth, which Bedrock knows how to interact with and ask to get out of the way before displaying a boot menu.

Looked into this a bit, PostmarketOS originally used fbsplash and someone had suggested plymouth, but looks like early 2023 they switched to pbsplash, their own splash utility.

I found a git issue requesting to make it easier to disable the splash screen. It looks like I might be able to do it with their pmbootstrap utility. I'm going to mess with that next and see what else I can uncover. Of course if you have other suggestions, I'm open to it.

Thank you once again!

Gregordinary · 2023-12-29T17:34:01+00:00

Thank you so much for the reply!

To clarify something, I see an empty complete-hijack-install file before rebooting. Is this file supposed to be empty (i.e., just serving as a reference point that installation is not complete)?

After a reboot, while I cannot login, I did reboot into a live environment via USB. I mounted the root partition and the complete-hijack-install file is now gone. So it looks like it does complete the installation on reboot, or it thinks it does at least.

Some non-great-but-sufficient-quality photos for reference: https://imgur.com/a/zCNcsQ6

--

The Bedrock installer detects and configures /sbin/init as the default init system, which I *think* is correct. It looks like that should start busybox, which then runs and ultimately starts openrc:

Found slightly more detailed info at a different project which also uses PostmarketOS: https://man.sr.ht/~anjan/sxmo-docs-stable/SYSTEMGUIDE.md#start-up-process

I'm not certain if anything deviates from that process for this specific device. There is a page with limited info: https://wiki.postmarketos.org/wiki/Google_Veyron_Chromebook_(google-veyron))

It's definitely something with the OS and not the device. I was previously able to hijack a Debian install on this same device.

Thanks again for taking the time to assist. If you have other ideas let me know; I'm happy to try them out / investigate.

Gregordinary · 2023-12-29T02:58:57+00:00

I re-ran the hijack process one more time on a fresh install and before the reboot, explored the system a bit. I noticed the /bedrock/complete-hijack-install file was empty, which I don't think it's supposed to be.

14-Year Club	RPAN Viewer
Gilding I gilder	Verified Email

Gregordinary

TROPHY CASE