Jump to: navigation, search

Difference between revisions of "Barbican/Blueprints/ssl-certificates"

(No difference)

Revision as of 14:33, 12 August 2016


This blueprint addresses support of ordering (new) and modification (existing) of SSL certificates from both globally rooted and internal certificate authorities through Barbican.


The following are proposed workflow diagrams and details relevant to the Barbican implementation of SSL certificate life-cycle management.

The plan is to have something generic enough that plugins can be created for numerous certificate authority back ends like Symantec, Dogtag, etc. These plugins would be enabled through Barbican. Barbican would act as a proxy to send the incoming order (certificate) to the appropriate plugin. All plugins would share a common interface. The workflow for issuing new and modifying existing certificates would live inside of the plugins.

Common Statuses

  • Pending (not issued, not error)
  • Error (not fatal, fixable)
  • Failure (fatal error)
  • Success (order complete)

Certificate Authority Order Flow

Certificate Authority Order Flow

Certificate Authority Order Flow

Certificate Authority Poll Flow

Certificate Authority Update Flow

Certificate Authority Update Flow

Proposed Changes

This is a work in progress

  • Barbican would need to modified to allow for plugins to be called based upon order types
  • Investigate how alerts should be dispatched and build that piece accordingly
  • See the references section for additional blueprints that this work would be dependent on


[1] Blueprint: Add SSL CA Support

[2] Dependent Blueprint: Add more types to the orders resource

[3] Dependent Blueprint: Support RSA key store/generation

[4] Dependent Blueprint: Implement Containers for Secrets