[
https://issues.apache.org/jira/browse/KNOX-3255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandor Molnar updated KNOX-3255:
--------------------------------
Description:
h3. Problem
The Admin API endpoint:
{noformat}
GET /knoxtopology/admin/api/v1/metadata/publicCert{noformat}
currently returns the gateway’s public certificate chain obtained from the SSL
configuration. However, when SSL is disabled, no SSL certificate chain is
available, causing the endpoint to fail with a service unavailable response.
This behavior prevents clients from retrieving a valid public certificate in
deployments where the gateway operates without HTTPS but still uses signing
keys (e.g., for token signing).
h3. Proposed Improvement
Enhance the endpoint to return an appropriate certificate chain even when SSL
is disabled.
New behavior:
* If SSL is enabled → return the SSL public certificate chain (existing
behavior)
* If SSL is disabled → return the certificate chain associated with the
gateway signing key from the signing keystore
This ensures that a meaningful public certificate is always available for
clients that need to verify signatures or establish trust with the gateway.
was:
h3. Problem
The Admin API endpoint:
{{GET /knoxtopology/admin/api/v1/metadata/publicCert}}
currently returns the gateway’s public certificate chain obtained from the SSL
configuration. However, when SSL is disabled, no SSL certificate chain is
available, causing the endpoint to fail with a service unavailable response.
This behavior prevents clients from retrieving a valid public certificate in
deployments where the gateway operates without HTTPS but still uses signing
keys (e.g., for token signing).
h3. Proposed Improvement
Enhance the endpoint to return an appropriate certificate chain even when SSL
is disabled.
New behavior:
* If SSL is enabled → return the SSL public certificate chain (existing
behavior)
* If SSL is disabled → return the certificate chain associated with the
gateway signing key from the signing keystore
This ensures that a meaningful public certificate is always available for
clients that need to verify signatures or establish trust with the gateway.
> Return signing keystore certificate when SSL is disabled in Admin API
> publicCert endpoint
> -----------------------------------------------------------------------------------------
>
> Key: KNOX-3255
> URL: https://issues.apache.org/jira/browse/KNOX-3255
> Project: Apache Knox
> Issue Type: Improvement
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
>
> h3. Problem
> The Admin API endpoint:
> {noformat}
> GET /knoxtopology/admin/api/v1/metadata/publicCert{noformat}
> currently returns the gateway’s public certificate chain obtained from the
> SSL configuration. However, when SSL is disabled, no SSL certificate chain is
> available, causing the endpoint to fail with a service unavailable response.
> This behavior prevents clients from retrieving a valid public certificate in
> deployments where the gateway operates without HTTPS but still uses signing
> keys (e.g., for token signing).
> h3. Proposed Improvement
> Enhance the endpoint to return an appropriate certificate chain even when SSL
> is disabled.
> New behavior:
> * If SSL is enabled → return the SSL public certificate chain (existing
> behavior)
> * If SSL is disabled → return the certificate chain associated with the
> gateway signing key from the signing keystore
> This ensures that a meaningful public certificate is always available for
> clients that need to verify signatures or establish trust with the gateway.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
