István Fajth created HDDS-7393:
----------------------------------
Summary: Root CA certificate revocation
Key: HDDS-7393
URL: https://issues.apache.org/jira/browse/HDDS-7393
Project: Apache Ozone
Issue Type: Sub-task
Reporter: István Fajth
Assignee: István Fajth
Revoking the root CA certificate effectively means the system has to re-create
all certificates used internally, and with that it is a tedious process.
Prerequisite for this task is to have all the certificate rotation logic
implemented, but in case of revocation we need to do the process in an
expedited way within just a few hours tops without causing impacts to the
service.
The procedure should involve a few things:
- at start a new root CA certificate has to be created, and similarly as when
the root CA certificate is being rotated, new subordinate CA certificates have
to be created and rotated in
- as the next step all certificates in the system has to be revoked, and
renewed during the default grace period within which the certificates are
renewed after revocation
- once all the certificates are renewed, the old subordinate CA certificates
and the rootCA certificate has to be revoked as well
- once the services notice the revocation of the old rootCA certificate, the
old rootCA certificate has to be removed from the trust stores of active and to
be created connections
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
