-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PKCS12 certificates cannot be used in FIPS environments #457
Comments
@jstaf, thanks for your interest in trust-manager and for opening this issue! 👋 trust-manager uses go-pkcs12 to encode PKCS#12 truststores, and we have discussed making the encoding configurable already. Do you think any of the provided encoders can support your FIPS requirement? The relevant code is here: trust-manager/pkg/bundle/internal/truststore/types.go Lines 92 to 108 in 6fb237b
|
We support multiple PKCS12 encodings in cert-manager, we could also introduce it in trust-manager: https://github.com/cert-manager/cert-manager/blob/e1a1ea959aa23ed72d9d7614b34d58ef420ad1d2/pkg/apis/certmanager/v1/types_certificate.go#L521 |
I agree with @inteon and @erikgb - I think the Modern encoder might do the trick here, but I don't have an environment to be able ot test. @jstaf - are you able to share some details of how you set up your Java env for this? Or a link to docs or something? At the moment, it would be tricky for us to test a fix for this. |
trust-manager's .p12 certificates cannot be loaded on systems that enforce FIPS. Example CA bundle:
And on a FIPS-enabled system, Java cannot load the ca-bundle.p12 certificate:
trust-manager should have an option to change the PKCS12 algorithm (not sure if I'm using the right words here to describe things) to a certificate format compatible with FIPS.
The text was updated successfully, but these errors were encountered: