Page Comparison

Page Properties

label

Status

colour

Grey

title
Blue

Not started

Decided

Stakeholders

Outcome

Due date

Owner

Background

...

ASSETS: What resources does the module need to know about to integrate PKI?
- PKI assets = key, cert, cacert
  - file-based: x509+RSA files
    - simp-pki module's pki::copy from FakeCA
    - simp-beaker-helpers gem's pki_copy_to function.
    - IMPORTANT: Independent file delivery mechanism
      - The files get there, but in a way SIMP (and possibly Puppet) doesn't manage
      - probably no need to do anything
      - QUESTION: Is it reasonable to always expect PKI cert/key/cacert to be present in the same directory structure as pki::copy?
  - file-based: java keystore / truststore
  - moonshots (probably not feasible):
    - PKI stored in LDAP
    - PKI stored in TPM
DISTRO: What PKI asset distribution methods should SIMP manage?
- SIMP has the pki::copy function, which copies the host's cert+key+cacert into a local directory
  - the structure:
    HOST_PKI_DIR/
    cacerts/cacerts.pem
    public/fdqn.pub
    private/fdqn.pem
- This supports individual PKI distribution per-application
  - accommodates SELinux
  - some applications (particularly in multi-homed environments) some use separate PKI certs/CAs
- current param: $use_simp_pki (bool)
- suggested param: $use_simp_pki or $manage_pki (if "Stroolean")

...