[MEDIUM] ACME PFX certificates exported with empty password #25

New issue

Open

opened 2026-05-05 15:44:47 -05:00 by pjennings · 0 comments

pjennings commented

2026-05-05 15:44:47 -05:00

Owner

Labels: area:security, area:network, priority:medium, type:enhancement

Description

ACME certificate generation uses --pfx.pass= (empty password) for PKCS#12 certificates in:

hosts/apps1.nix (one.dns.reinitialized.net)
hosts/apps2.nix (two.dns.reinitialized.net)
hosts/rp1.nix (all ACME certs)

Impact

Anyone who obtains the PFX file can use the private key without any password. If the file is exposed through a misconfigured service or backup, the TLS private key is compromised.

Recommended Fix

Set a strong password for PFX files, stored in the secrets management system.

**Labels:** area:security, area:network, priority:medium, type:enhancement ## Description ACME certificate generation uses --pfx.pass= (empty password) for PKCS#12 certificates in: - hosts/apps1.nix (one.dns.reinitialized.net) - hosts/apps2.nix (two.dns.reinitialized.net) - hosts/rp1.nix (all ACME certs) ## Impact Anyone who obtains the PFX file can use the private key without any password. If the file is exposed through a misconfigured service or backup, the TLS private key is compromised. ## Recommended Fix Set a strong password for PFX files, stored in the secrets management system.