Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrading the CA certificate should be easy #27

Closed
oyvindhagberg opened this issue Jan 25, 2018 · 1 comment
Closed

Upgrading the CA certificate should be easy #27

oyvindhagberg opened this issue Jan 25, 2018 · 1 comment
Labels
API certificate handling jobs web GUI

Comments

@oyvindhagberg
Copy link
Contributor

oyvindhagberg commented Jan 25, 2018
edited
Loading

Ideally, it should happen automatically. Perhaps there should also be a way to do it manually, but it should be as easy as clicking a button.

Creating av new CA cert and enabling it must be two separate steps. This is in case the CA certificate is used by 3rd party systems to authenticate clients. Such systems might need to be manually updated before the new CA cert is enabled in Nivlheim.

When a new CA certificate is created, the previous certificate should stay active for a while until all clients have had a chance to update their client certificates. The web server must be configured accordingly.
@oyvindhagberg oyvindhagberg added this to the Version 1.0.0 (production ready) milestone Jan 29, 2018
@oyvindhagberg oyvindhagberg mentioned this issue Jul 25, 2018
Closed
@oyvindhagberg oyvindhagberg removed this from the Production ready milestone Feb 19, 2019
oyvindhagberg added a commit that referenced this issue Mar 9, 2019
@oyvindhagberg
Add scripts to create & activate a client CA cert
788c9bb 
Additional highlights:
- Scripts maintain and publish a bundle of valid client CA certificates.
- Removed ssl verification from client when running towards localhost.

Closes #32.
Work in progress on #27.
@oyvindhagberg
Copy link
Contributor Author

oyvindhagberg commented Mar 10, 2019
edited
Loading

Continuing after 788c9bb:

  • Fuse the two scripts create_new_CA.sh and activate_new_CA.sh into a new script
  • Configure nivlheim.spec to install it as a daily cron job
  • Add code to ping2 to ask clients to renew their cert if a new CA cert has been installed
  • Make sure there's an easy way for monitoring software to discover that a new CA has been created. It can be done by monitoring clientca.pem (published on the webserver) for changes. With Zabbix, it should be possible by using an http item and the diff trigger function.
  • Write a wiki page with documentation on how all of this works

@oyvindhagberg oyvindhagberg mentioned this issue Mar 13, 2019
Merged
oyvindhagberg added a commit that referenced this issue Mar 13, 2019
@oyvindhagberg
Merge PR #85 from usit-gd/feature-public-client-ca
b613d50 
This PR takes care of 2 issues:
- It automates the upgrading process of the client CA certificate,
  making it easy to upgrade, and "documenting" (in the form of code)
  how to do it. #27
- It publishes a bundle with the currently active CA certificates on
  the web server, facilitating 3rd party use. #32 

See also: https://github.com/usit-gd/nivlheim/wiki/Client-certificates
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
API certificate handling jobs web GUI
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@oyvindhagberg