cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <jlkin...@gmail.com>
Subject Re: [DISCUSS][PROPOSAL] CA authority plugin definition
Date Fri, 14 Apr 2017 17:21:37 GMT
I’d suggest taking a look at using Dogtag[1] as well. Actually, that’s what the Other Guys
also suggest[2].

1: http://pki.fedoraproject.org/wiki/PKI_Main_Page <http://pki.fedoraproject.org/wiki/PKI_Main_Page>
2: https://wiki.openstack.org/wiki/PKI <https://wiki.openstack.org/wiki/PKI>


> On Apr 14, 2017, at 7:57 AM, Simon Weller <sweller@ena.com> wrote:
> 
> Daan,
> 
> 
> What about integrating some like Vault (https://github.com/hashicorp/vault <https://github.com/hashicorp/vault>)?
> 
> 
> - Si
> 
> ________________________________
> From: Daan Hoogland <daan.hoogland@shapeblue.com <mailto:daan.hoogland@shapeblue.com>>
> Sent: Friday, April 14, 2017 5:46 AM
> To: dev@cloudstack.apache.org <mailto:dev@cloudstack.apache.org>
> Subject: [DISCUSS][PROPOSAL] CA authority plugin definition
> 
> Devs,
> 
> Following a discussion with a client they came up with the idea to create a pluggable
CA-framework. A plugin would serve components in cloudstack that so require (management servers,
agents, load balancers, SVMs, etc.) with certificates answering certificate requests and validating
certificates on request.
> 
> A default plugin can be written that serves according to its own self signed root certificate
and have its own revocation list to be managed by the admin. Other plugin could forward by
mail or web requests to external parties.
> 
> A CA-plugin will have to
> 
> -          Setup, for the default this means creating its certificate, for others it
might mean install an intermediate certificate or configure a mail, or website address.
> 
> -          Accept and answer certificate requests
> 
> o    For client certificates
> 
> o    For server certificates
> 
> -          Accept revocation requests
> 
> -          Validate a connection request according to origin and certificate and <extra
data>. What extra data is is defined by the plugin and can be credentials or field-definitions
referring the x509 entries or for instance port numbers allowed… this is basically free
to the implementer.
> 
> A next step will have to be integrating the request calls with installs on targets but
I think as is this feature merits itself as it could be used with out of band configuration
management tools as well.
> 
> Any thoughts, remarks and critiques are welcome,
> 
> daan.hoogland@shapeblue.com
> www.shapeblue.com <http://www.shapeblue.com/><http://www.shapeblue.com <http://www.shapeblue.com/>>
> Shapeblue - The CloudStack Company<http://www.shapeblue.com/ <http://www.shapeblue.com/>>
> www.shapeblue.com <http://www.shapeblue.com/>
> Background Cloudstack relies on a fixed download site when it fetches the built-in guest
VM templates. That download site has historically
> 
> 
> 
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message