[
https://issues.apache.org/jira/browse/HDDS-7379?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
István Fajth updated HDDS-7379:
-------------------------------
Description:
In the server side, currently we serve just the certificate of the entity
itself for proving authenticity of the server side.
In order to simplify the trust store, and ensure that the RootCA certificate is
enough to be distributed for every potential client, we can provide the trust
chain of the server certificates in a certificate bundle to the connecting
clients.
This task is about to ensure that once an intermediate CA signs a certificate,
it provides it whole trust chain up until the RootCA in the certificate file
that is sent back to the certificate owner after signing it CSR.
was:
The main idea here is that every service has the code already to create a
certificate sign request (CSR) and to send it to the SCM.
In order to renew a certificate, we need a scheduled background task that will
do the creation of the new certificate, before the certificate expires.
This task has to be scheduled at startup based on the certificate's remaining
lifetime, and run some time before the certificate expires.
Once the certificate is renewed, the service has to be notified so that it can
initiate the hot swap of the certificates, and once the swap of certificates is
done, the task itself has to get back a notification or the control to remove
the old certificate material.
> Use certificate bundles instead of the sole certificate
> -------------------------------------------------------
>
> Key: HDDS-7379
> URL: https://issues.apache.org/jira/browse/HDDS-7379
> Project: Apache Ozone
> Issue Type: Improvement
> Components: Security
> Reporter: István Fajth
> Assignee: Szabolcs Gál
> Priority: Major
> Labels: pki
>
> In the server side, currently we serve just the certificate of the entity
> itself for proving authenticity of the server side.
> In order to simplify the trust store, and ensure that the RootCA certificate
> is enough to be distributed for every potential client, we can provide the
> trust chain of the server certificates in a certificate bundle to the
> connecting clients.
> This task is about to ensure that once an intermediate CA signs a
> certificate, it provides it whole trust chain up until the RootCA in the
> certificate file that is sent back to the certificate owner after signing it
> CSR.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
