Uploaded image for project: 'Apache Ozone'
  1. Apache Ozone
  2. HDDS-7332 Automatic certificate rotation before certificate expiration
  3. HDDS-7379

Use certificate bundles instead of the sole certificate

    XMLWordPrintableJSON

Details

    Description

      In the server side, currently we serve just the certificate of the entity itself for proving authenticity of the server side.

      In order to simplify the trust store, and ensure that the RootCA certificate is enough to be distributed for every potential client, we can provide the trust chain of the server certificates in a certificate bundle to the connecting clients.
      This task is about to ensure that once an intermediate CA signs a certificate, it provides it whole trust chain up until the RootCA in the certificate file that is sent back to the certificate owner after signing it CSR.

      Attachments

        Issue Links

          fixes

          Sub-task - The sub-task of the issue HDDS-7378 Ensure certificate hierarchy is set up properly

          • Major - Major loss of function.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. HDDS-9410 Upgrade stall from 1.3 to current code when gRPC TLS is enabled.

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved

          Test - A new unit, integration or system test. HDDS-7981 Test using openSSL that files written/read by CertificateCodec are adhering to standards

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open
          links to

          Web Link GitHub Pull Request #4231

          Activity

            People

              sgal Szabolcs Gál
              pifta István Fajth
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: