Jump to: navigation, search


Barbican & Certmonger Integration

These are rough notes from the discussion had with parts of the Keystone & Barbican teams at the Hong Kong summit. Representation from HP, Redhat and Rackspace as well as others. A non-exhaustive list is below. I didn't capture everyone's names so if I missed you, add yourself.

  • Jarret Raim
  • Paul Kehrer
  • Robert Graham Clark
  • Adam Young
  • <Others>


  • Goal: Enable SSL everywhere
    • Certmonger helps to do that
  • Deals with revocation through understanding cert expiries
  • Doesn't use the ReST APIs on Dogtag
  • Talks XMLRPC to FreeIPA and old Dogtag calls

Establishing Trust

  • How does the certmonger agent talk to the backend for the first time?
    • This conversation is about establishing trust, can be discussed later
  • How to validate that the generated CSR should be trusted?
  • When a new machine is created, it needs an OTP to register that machine
  • Can monger say what trust root? You can use the NSDatabase to switch
  • Use Keystone Kerberos / PKI to auth connection to Barbican backend
  • Delegate ability for clients to generate certs off of a sub-tree

Action Items

  • Barbican should be able to run on Windows to talk to AD?
    • Barbican should look at Dogtag ReST API documentation to inform our APIs
  • Certmonger uses Barbican as backend
  • Barbican will implement / merge standards as needed for Certmonger (PKCS10)
  • Barbican will provide backend plugins for trusts (Dogtag, key czar, PCKS11, KMIP)
  • Think about supporting SCAP