Re: [DISCUSS][PROPOSAL] CA authority plugin definition

Fri, 14 Apr 2017 08:05:38 -0700 

Simon, I can think of use cases for that and it is an interesting topic. I can 
also see it as being implemented in a CA-plugin. I do not think it should be in 
the base of this framework though. That would complicate cloudstack for simple 
users to much I think. On the other hand, it would have more use cases then 
just for CA-plugins (fantasy running now)

On 14/04/17 16:57, "Simon Weller" <swel...@ena.com> wrote:

    Daan,
    
    
    What about integrating some like Vault (https://github.com/hashicorp/vault)?
    
    
    - Si
    
    ________________________________
    From: Daan Hoogland <daan.hoogl...@shapeblue.com>
    Sent: Friday, April 14, 2017 5:46 AM
    To: dev@cloudstack.apache.org
    Subject: [DISCUSS][PROPOSAL] CA authority plugin definition
    
    Devs,
    
    Following a discussion with a client they came up with the idea to create a 
pluggable CA-framework. A plugin would serve components in cloudstack that so 
require (management servers, agents, load balancers, SVMs, etc.) with 
certificates answering certificate requests and validating certificates on 
request.
    
    A default plugin can be written that serves according to its own self 
signed root certificate and have its own revocation list to be managed by the 
admin. Other plugin could forward by mail or web requests to external parties.
    
    A CA-plugin will have to
    
    -          Setup, for the default this means creating its certificate, for 
others it might mean install an intermediate certificate or configure a mail, 
or website address.
    
    -          Accept and answer certificate requests
    
    o    For client certificates
    
    o    For server certificates
    
    -          Accept revocation requests
    
    -          Validate a connection request according to origin and 
certificate and <extra data>. What extra data is is defined by the plugin and 
can be credentials or field-definitions referring the x509 entries or for 
instance port numbers allowed… this is basically free to the implementer.
    
    A next step will have to be integrating the request calls with installs on 
targets but I think as is this feature merits itself as it could be used with 
out of band configuration management tools as well.
    
    Any thoughts, remarks and critiques are welcome,
    
    daan.hoogl...@shapeblue.com
    www.shapeblue.com<http://www.shapeblue.com>
    Shapeblue - The CloudStack Company<http://www.shapeblue.com/>
    www.shapeblue.com
    Background Cloudstack relies on a fixed download site when it fetches the 
built-in guest VM templates. That download site has historically
    
    
    
    53 Chandos Place, Covent Garden, London  WC2N 4HSUK
    @shapeblue
    
    
    
    


daan.hoogl...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue

Reply via email to