Barbican/Blueprints/ssl-certificates


 * Launchpad Entry: https://blueprints.launchpad.net/barbican/+spec/add-ssl-ca-support
 * Created: 27-Mar-2014
 * Updated: 31-Mar-2014
 * Contributors: Chad Lung, Doug Mendizabal, Lisa Clark, Sheena Gregson, John Wood, Jarret Raim, Paul Kehrer, Steven Gonzales, John Vrbanac

Abstract
This blueprint addresses support of ordering (new) and modification (existing) of SSL certificates from both globally rooted and internal certificate authorities through Barbican.

Description
The following are proposed workflow diagrams and details relevant to the Barbican implementation of SSL certificate life-cycle management.

The plan is to have something generic enough that plugins can be created for numerous certificate authority back ends like Symantec, Dogtag, etc. These plugins would be enabled through Barbican. Barbican would act as a proxy to send the incoming order (certificate) to the appropriate plugin. All plugins would share a common interface. The workflow for issuing new and modifying existing certificates would live inside of the plugins.

Common Statuses
 * Pending (not issued, not error)
 * Error (not fatal, fixable)
 * Failure (fatal error)
 * Success (order complete)

 Certificate Authority Order Flow 



 Certificate Authority Order Flow 



 Certificate Authority Update Flow 



Proposed Changes
This is a work in progress


 * Barbican would need to modified to allow for plugins to be called based upon order types
 * Investigate how alerts should be dispatched and build that piece accordingly
 * See the references section for additional blueprints that this work would be dependent on