Disclaimer: I work at CloudFlare, and this is the main project I’ve been working on.
Not to detract from the post (it more than delivers on the title’s promise), but it also reads as a kind of indepth explanation of why OpenBSD is not using anything like traditional PKI. :)
We have gone off the established path somewhat, and that could be dangerous for others (hell, it could turn out to be dangerous for us!), but I also worry that even fastidious developers following this guide will cock something up. It’s not enough to do everything right, you have to do nothing wrong. The more you have to do, the harder that is.
I don’t disagree. However, this happened to be the least of all evils that worked for our environment once everything was factored in.