Support HTTP Strict Transport Security

Question

Support HTTP Strict Transport Security

Closed this issue 6 years ago · 1 comments

Currently insecure flag in /etc/certidude/client.conf specifies whether CA should be contacted over HTTP or HTTPS. Instead of such static configuration we should support HSTS.

Possible implementation on the client side would perform first request over HTTP and if server redirects to HTTPS and returns with HSTS headers create a file eg /var/lib/certidude/ca.example.com/secure. If such file exists further requests would be performed over HTTPS by default.

Answer 1 · 2018-04-29T12:36:47.000Z

Fixed with b9aaec7, once CA cert is fetched the client always approaches CA over HTTPS