[Openstack-security] Certmonger

Clark, Robert Graham robert.clark at hp.com
Tue Nov 5 02:59:09 UTC 2013 


On 02/11/2013 15:55, "Adam Young" <ayoung at redhat.com> wrote:

>
>
>
>On 11/01/2013 03:10 PM, Clark, Robert Graham wrote:
>> Support for ADCS and EJBCA would make sense.
>Good to hear it.  I'd come across them, but didn't know how well
>supported they were.
>
>>
>> I wasn¹t aware of the Chef-SSL project, quite interesting. In my
>>experience the hard part with CA operations is actually the Registration
>>Authority, ensuring that the requesting party has a right to the
>>certificate is one of the main roles of the RA and with client-side
>>generation (without out-of-band attestation) you quickly run into a
>>chicken and egg type problem.
>Dogtag, EJBCA and ADCS I think all have solutions to this, which are
>somewhat different.  I suspect that could be abstracted away from the
>Certmonger piece.

They do but they¹re all horrible. EJBCA requires identity profiles for
every request, a major headache and very hard to manage in dynamic
environments. ADCS only works nicely if all your machines are domain
joined in just the right way, Dogtag I¹m not sure about but I suspect it
has similar constraints.


>>
>> A long time ago I wrote half of a very light weight restful CA with a
>>very simple API and delegated certificate issuing (So you could grant
>>permissions to create certificates on certain sub domains) - I keep
>>threatening to turn it into something real. I¹m not convinced that any
>>of the platforms out there meet the needs we have very well. I should
>>look more closely at Certmonger, maybe this will fit the bill!
>Certmaster is the equivalent:
>
>https://fedorahosted.org/certmaster/
>
>XML-RPC based, so a RESTful augmentation would be very nice.
>
>THen again, we also have Barbican.  Lets make sure we are not
>duplicating effort.

Interesting, I¹m keen to understand more about the x509 stuff in Barbican
and I¹ve added Certmaster to the list of things to look into.

>
>>
>> From: Bryan Payne <bdpayne at acm.org<mailto:bdpayne at acm.org>>
>> Date: Tuesday, 29 October 2013 19:20
>> To: "ayoung at redhat.com<mailto:ayoung at redhat.com>"
>><ayoung at redhat.com<mailto:ayoung at redhat.com>>
>> Cc: 
>>"openstack-security at lists.openstack.org<mailto:openstack-security at lists.o
>>penstack.org>" 
>><openstack-security at lists.openstack.org<mailto:openstack-security at lists.o
>>penstack.org>>
>> Subject: Re: [Openstack-security] Certmonger
>>
>>
>> We need an approach for SSL everywhere:  it is one of the issues rasied
>>in the security guide.  Thus, the default deployment needs to show how
>>to set that up.
>>
>> Makes sense to me.
>> -bryan
>

More information about the Openstack-security mailing list