Sandeep More created KNOX-3359:
----------------------------------
Summary: Support Single-Purpose EKU Certificates
Key: KNOX-3359
URL: https://issues.apache.org/jira/browse/KNOX-3359
Project: Apache Knox
Issue Type: New Feature
Components: Server
Reporter: Sandeep More
Assignee: Sandeep More
h1. Background
Knox currently supports a single certificate per host. This certificate carries
both the serverAuth and clientAuth Extended Key Usages (EKUs), meaning the same
key and certificate is used whether the service running on the host is acting
as a TLS server or as a client in a mutual-TLS (mTLS) handshake.
Industry standards and public CAs (like DigiCert) are sunsetting multi-use
certificates, making Knox's current requirement for dual serverAuth and
clientAuth EKUs difficult to manage.
h1. Overview:
Knox will need separate keystores and truststores for client authentication and
server authentication.
# Keystores:
*
-- Knox to assert its identity as a server
-- Knox to assert its identity as a client (to downstream services)
2.Truststores:
*
-- Clients asserting identity to Knox
-- Servers asserting identity to Knox
--
This message was sent by Atlassian Jira
(v8.20.10#820010)