Page Properties | ||
---|---|---|
| ||
Background
Acceptance Testing
...
ASSETS: What resources does the module need to know about to integrate PKI?
PKI assets = key, cert, cacert
file-based: x509+RSA files
simp-pki module's
pki::copy
from FakeCAsimp-beaker-helpers gem's
pki_copy_to
function.IMPORTANT: Independent file delivery mechanism
The files get there, but in a way SIMP (and possibly Puppet) doesn't manage
probably no need to do anything
QUESTION: Is it reasonable to always expect PKI cert/key/cacert to be present in the same directory structure as pki::copy?
- file-based: java keystore / truststore
- moonshots (probably not feasible):
PKI stored in LDAP
PKI stored in TPM
DISTRO: What PKI asset distribution methods should SIMP manage?
SIMP has the pki::copy function, which copies the host's cert+key+cacert into a local directory
the structure:
HOST_PKI_DIR/
cacerts/cacerts.pem
public/fdqn.pub
private/fdqn.pem
- This supports individual PKI distribution per-application
- accommodates SELinux
- some applications (particularly in multi-homed environments) some use separate PKI certs/CAs
- current param:
$use_simp_pki (bool)
suggested param:
$use_simp_pki or $manage_pki
(if "Stroolean")
...