[Openstack-security] Certmonger
Adam Young
ayoung at redhat.com
Tue Oct 29 18:03:53 UTC 2013
On 10/29/2013 11:44 AM, Bryan D. Payne wrote:
> Adam,
>
> Can you provide a little more detail on what pieces of OpenStack you
> are imagining would integrate with Certmonger? I think some concrete
> examples of why this is needed would go a long ways towards helping to
> spark some discussion here. But you've piqued my interest and I'd
> like to hear more. I'd certainly attend a session on this on Hong
> Kong, for what it's worth.
Anything that requires an X509. This is: anything that does TLS:
HTTPD, Messaging, etc. In addition, Keystone should use it to manage
the signing certificates. If there are certifiates involved in the
crypto signing of block devices, those would be managed via Certmonger
as well.
I'll see if I can set up an unconference session. THings are still
settling out on the Developers conference schedule.
>
> Cheers,
> -bryan
>
>
>
> On Mon, Oct 28, 2013 at 10:04 AM, Adam Young <ayoung at redhat.com
> <mailto:ayoung at redhat.com>> wrote:
>
> PKI requires infrastructure, more than the OpenStack project can
> really dictate. What OpenStack needs is a strategy to integrate
> in with existing PKI systems.
>
> Certmonger https://fedorahosted.org/certmonger/ is a tool from
> the Fedora project for integrating with a remote Certificate
> Authority. As such, it seems to fill the gap in our strategy. It can:
>
>
> Perform all of the local tasks for certificate request generation
> Monitor and request new certificates prior to expiration.
> Handle both NSS and OpenSSL local storage formats.
>
> Currently, Certmonger works against FreeIPA/Dogtag
> http://pki.fedoraproject.org/wiki/PKI_Main_Page and Certmaster
> https://fedorahosted.org/certmaster/.
>
> I'd like to propose that we make Certmonger the focus for our X509
> management strategy. In order to do that, we need to ensure that
> Certmonger can support a large enough array of CA request formats.
>
> Beyond the ones listed above, what are people concerned with
> supporting for CA software? THe Wikipedia list of Open Source CA
> implementations
> https://en.wikipedia.org/wiki/Certificate_authority#Open_source_implementations
> is fairly short. What are the dominant APIs that we need to support?
>
> Many people might be tempted to follow the advice of "Just let
> puppet handle it." I'm not certain that this is the right
> approach. Disregarding the shops that don't use Puppet or a
> comparable other Configuration management tool, it appears that
> Puppet performs "Master side" certificate generation, and not
> following the best practice of keeping the key in secure storage
> on the client. I'd be interested in hearing more feedback on
> this. However, it seems to me that Puppet and Certmonger should be
> able to work together, with Certmonger managing the logic for
> generating certificate requests and Puppet performing the
> marshalling: or maybe Certmonger can just talk directly to the
> Puppet CA.
>
> I am not certain that the Puppet CA is doing Revocations or OCSP,
> either, one or the other required for a full X509 implementation.
>
> It looks like Chef is also getting into the CA business.
> http://www.cryptocracy.com/blog/2013/04/20/very-simple-x509-pki-with-chef
>
> I've submitted a session for this under Devstack, as there is no
> general purpose "Security" heading.
> http://summit.openstack.org/cfp/details/363 However, it might be
> too late to schedule it. I will try to put together an
> unconference session to discuss this, in conjunction with the
> Security team.
>
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> <mailto:Openstack-security at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131029/3b000ade/attachment.html>
More information about the Openstack-security
mailing list