Barbican/Certmonger
< Barbican
Barbican & Certmonger Integration
These are rough notes from the discussion had with parts of the Keystone & Barbican teams at the Hong Kong summit. Representation from HP, Redhat and Rackspace as well as others. A non-exhaustive list is below. I didn't capture everyone's names so if I missed you, add yourself.
- Jarret Raim
- Paul Kehrer
- Robert Graham Clark
- Adam Young
- <Others>
Certmonger
- Goal: Enable SSL everywhere
- Certmonger helps to do that
- Deals with revocation through understanding cert expiries
- Doesn't use the ReST APIs on Dogtag
- Talks XMLRPC to FreeIPA and old Dogtag calls
Establishing Trust
- How does the certmonger agent talk to the backend for the first time?
- This conversation is about establishing trust, can be discussed later
- How to validate that the generated CSR should be trusted?
- When a new machine is created, it needs an OTP to register that machine
- Can monger say what trust root? You can use the NSDatabase to switch
- Use Keystone Kerberos / PKI to auth connection to Barbican backend
- Delegate ability for clients to generate certs off of a sub-tree
Action Items
- Barbican should be able to run on Windows to talk to AD?
- Barbican should look at Dogtag ReST API documentation to inform our APIs
- Certmonger uses Barbican as backend
- Barbican will implement / merge standards as needed for Certmonger (PKCS10)
- Barbican will provide backend plugins for trusts (Dogtag, key czar, PCKS11, KMIP)
- Think about supporting SCAP