Background
In various modules that deal with PKI, parameters such as the following have been observed:
$enable_pki = true
Does this turn PKI on/off, turn PKI management on/off, turn the SIMP-specific PKI system on/off (see: The New Layout for all SIMP Modules)?
$use_simp_pki
= true
Okay, this looks like it explicitly means "Use SIMP's PKI system (e.g., FakeCA, keydist/, pki::copy)"
$cert_source
= '/absolute/path/to/dir'
- simp-apache: Defines what directory look for certs in a
- ALTERNATIVE (simp-rsyslog):
$pki_cert_dir = '/same/as/cert_source/w/a/better/name'
Questions
- How should we tell a SIMP module to manage PKI (at all)?
- The opposite of manage is "leave it alone."
- Examples of management:
- where to look for certs, cacerts
- ensure that SSL is on or off
- ensure that SSL is validated
- Examples of something other than management:
- EXTRA: distributing certificates on the filesystem
- This is extra because
- d
- EXTRA: distributing certificates on the filesystem
How should we tell SIMP to use SIMP's pki module vs some other PKI distribution system?
Examples:
file-based:
simp-pki module's
pki::copy
from FakeCAsimp-beaker-helpers gem's
pki_copy_to
function.Independent file delivery mechanism (another module, probably need to do nothing)
- QUESTION: Is it reasonable to always expect PKI cert/key/cacert to be present in the same directory structure as pki::copy?
(moonshots, not )
PKI stored in LDAP?
PKI stored in TPM?