Jump to: navigation, search

Difference between revisions of "Barbican/Blueprints/ssl-certificates"

(Description)
 
(18 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
* '''Launchpad Entry''': https://blueprints.launchpad.net/barbican/+spec/add-ssl-ca-support
 
* '''Launchpad Entry''': https://blueprints.launchpad.net/barbican/+spec/add-ssl-ca-support
 
* '''Created''': 27-Mar-2014
 
* '''Created''': 27-Mar-2014
* '''Updated''': 27-Mar-2014
+
* '''Updated''': 31-Mar-2014
* '''Contributors''': Chad Lung, Doug Mendizabal, Lisa Clark, Sheena Gregson, John Wood, Jarret Raim, Paul Kehrer, Steven Gonzalez, John Vrbanac
+
* '''Contributors''': Chad Lung, Doug Mendizabal, Lisa Clark, Sheena Gregson, John Wood, Jarret Raim, Paul Kehrer, Steven Gonzales, John Vrbanac
  
 
== Abstract ==
 
== Abstract ==
Line 9: Line 9:
  
 
== Description ==
 
== Description ==
 +
 +
The following are proposed workflow diagrams and details relevant to the Barbican implementation of SSL certificate life-cycle management.
 +
 +
The plan is to have something generic enough that plugins can be created for numerous certificate authority back ends like [http://www.symantec.com/page.jsp?id=ssl-information-center Symantec], [http://pki.fedoraproject.org/wiki/PKI_Main_Page Dogtag], etc. These plugins would be enabled through Barbican. Barbican would act as a proxy to send the incoming order (certificate) to the appropriate plugin. All plugins would share a common interface. The workflow for issuing new and modifying existing certificates would live inside of the plugins.
 +
 +
'''Common Statuses'''
 +
* '''Pending''' (not issued, not error)
 +
* '''Error''' (not fatal, fixable)
 +
* '''Failure''' (fatal error)
 +
* '''Success''' (order complete)
 +
 +
<br />
 +
<br />
  
 
'''<big>Certificate Authority Order Flow</big>'''
 
'''<big>Certificate Authority Order Flow</big>'''
Line 20: Line 33:
  
 
[[File:Poll-generic.png|none|center|Certificate Authority Poll Flow]]
 
[[File:Poll-generic.png|none|center|Certificate Authority Poll Flow]]
 +
 +
<br />
 +
<br />
 +
 +
'''<big>Certificate Authority Update Flow</big>'''
 +
 +
[[File:Update-generic.png|none|center|Certificate Authority Update Flow]]
  
 
== Proposed Changes ==
 
== Proposed Changes ==
  
TODO
+
''This is a work in progress''
 +
 
 +
* Barbican would need to modified to allow for plugins to be called based upon order types
 +
* Investigate how alerts should be dispatched and build that piece accordingly
 +
* See the [https://wiki.openstack.org/wiki/Barbican/Blueprints/ssl-certificates#References references section] for additional blueprints that this work would be dependent on
  
 
== References ==
 
== References ==
  
[1] [https://blueprints.launchpad.net/barbican/+spec/add-ssl-ca-support Blueprint]
+
[1] [https://blueprints.launchpad.net/barbican/+spec/add-ssl-ca-support Blueprint: Add SSL CA Support]
 +
 
 +
[2] [https://blueprints.launchpad.net/barbican/+spec/api-orders-add-more-types Dependent Blueprint: Add more types to the orders resource ]
 +
 
 +
[3] [https://blueprints.launchpad.net/barbican/+spec/support-rsa-key-store-generation Dependent Blueprint: Support RSA key store/generation ]
 +
 
 +
[4] [https://blueprints.launchpad.net/barbican/+spec/crud-endpoints-secret-container Dependent Blueprint: Implement Containers for Secrets ]

Latest revision as of 20:27, 12 August 2016

Abstract

This blueprint addresses support of ordering (new) and modification (existing) of SSL certificates from both globally rooted and internal certificate authorities through Barbican.

Description

The following are proposed workflow diagrams and details relevant to the Barbican implementation of SSL certificate life-cycle management.

The plan is to have something generic enough that plugins can be created for numerous certificate authority back ends like Symantec, Dogtag, etc. These plugins would be enabled through Barbican. Barbican would act as a proxy to send the incoming order (certificate) to the appropriate plugin. All plugins would share a common interface. The workflow for issuing new and modifying existing certificates would live inside of the plugins.

Common Statuses

  • Pending (not issued, not error)
  • Error (not fatal, fixable)
  • Failure (fatal error)
  • Success (order complete)



Certificate Authority Order Flow

Certificate Authority Order Flow



Certificate Authority Order Flow

Certificate Authority Poll Flow



Certificate Authority Update Flow

Certificate Authority Update Flow

Proposed Changes

This is a work in progress

  • Barbican would need to modified to allow for plugins to be called based upon order types
  • Investigate how alerts should be dispatched and build that piece accordingly
  • See the references section for additional blueprints that this work would be dependent on

References

[1] Blueprint: Add SSL CA Support

[2] Dependent Blueprint: Add more types to the orders resource

[3] Dependent Blueprint: Support RSA key store/generation

[4] Dependent Blueprint: Implement Containers for Secrets