[Openstack-security] Certmonger
Adam Young
ayoung at redhat.com
Mon Oct 28 17:04:06 UTC 2013
PKI requires infrastructure, more than the OpenStack project can really
dictate. What OpenStack needs is a strategy to integrate in with
existing PKI systems.
Certmonger https://fedorahosted.org/certmonger/ is a tool from the
Fedora project for integrating with a remote Certificate Authority. As
such, it seems to fill the gap in our strategy. It can:
Perform all of the local tasks for certificate request generation
Monitor and request new certificates prior to expiration.
Handle both NSS and OpenSSL local storage formats.
Currently, Certmonger works against FreeIPA/Dogtag
http://pki.fedoraproject.org/wiki/PKI_Main_Page and Certmaster
https://fedorahosted.org/certmaster/.
I'd like to propose that we make Certmonger the focus for our X509
management strategy. In order to do that, we need to ensure that
Certmonger can support a large enough array of CA request formats.
Beyond the ones listed above, what are people concerned with supporting
for CA software? THe Wikipedia list of Open Source CA implementations
https://en.wikipedia.org/wiki/Certificate_authority#Open_source_implementations
is fairly short. What are the dominant APIs that we need to support?
Many people might be tempted to follow the advice of "Just let puppet
handle it." I'm not certain that this is the right approach.
Disregarding the shops that don't use Puppet or a comparable other
Configuration management tool, it appears that Puppet performs "Master
side" certificate generation, and not following the best practice of
keeping the key in secure storage on the client. I'd be interested in
hearing more feedback on this. However, it seems to me that Puppet and
Certmonger should be able to work together, with Certmonger managing the
logic for generating certificate requests and Puppet performing the
marshalling: or maybe Certmonger can just talk directly to the Puppet CA.
I am not certain that the Puppet CA is doing Revocations or OCSP,
either, one or the other required for a full X509 implementation.
It looks like Chef is also getting into the CA business.
http://www.cryptocracy.com/blog/2013/04/20/very-simple-x509-pki-with-chef
I've submitted a session for this under Devstack, as there is no general
purpose "Security" heading. http://summit.openstack.org/cfp/details/363
However, it might be too late to schedule it. I will try to put together
an unconference session to discuss this, in conjunction with the
Security team.
More information about the Openstack-security
mailing list