Question about using a custom CA with TeddyCloud

Marc · November 17, 2024, 6:53pm

Hi everyone,

I’m currently running an internal CA in my environment, with certificates already distributed to all my clients. I’m wondering if it’s technically feasible (and somewhat reasonable) to replace the TeddyCloud-provided CA with my own CA or a subordinate CA (Sub-CA).

If I understand the documentation correctly, the TeddyCloud CA is used to authenticate the Toniebox to the TeddyCloud server via client certificates. Is that accurate?

Are there any technical reasons why replacing the TeddyCloud CA with my own CA/Sub-CA wouldn’t work? Or is the primary challenge just the additional effort required for such a setup?

I understand this is a niche question and likely not necessary for most use cases. I prefer to keep my systems as secure and consistent as possible.

I’d appreciate any insights, technical details, or best practices on this topic.

Thanks in advance!

0xbadbee · November 18, 2024, 3:15pm

The CA is primarily used by the box to be sure it connects to the right host.
The client certificates don’t need to be under the CA, as those are only used by teddyCloud to identify the box and use the right client certificates to passthrough connections to Boxine.

So it should work for your. But beware, that the Boxes don’t support SNI, need a pretty outdated cipher for TLS (especially the cc3200)