-
Notifications
You must be signed in to change notification settings - Fork 139
Lightweight CA
Dogtag supports operation as a sub-CA, but only as a separate instance. This document proposes ''lightweight sub-CAs'', where one or more sub-CAs can reside alongside the primary CA in a single instance. other subsystems including the parent CA.
This feature is aimed for inclusion in Dogtag 10.3, to be included in Fedora 21.
-
host CA: The existing signing capability of the CA subsystem and associated key(s), certificates and data. Put another way, this is the "highest-level" CA in a Dogtag instance, which may or may not be a root CA.
-
lightweight CA: A signing capability and associated key(s), certificates and data, which is hosted in the CA subsystem alongside the host CA.
-
sub-CA: A lightweight CA that is certified by the host CA or by another sub-CA.
-
authority ID: A UUID identifying a CA. All lightweight CAs and the host CA have an authority ID. In records that may include an authority ID, the absense of an authority ID typically implies the host CA.
-
subsystem: A Dogtag instance subsystem, i.e. that which is created by
pkispawn(8)
. When referring to subsystems within a CMS instance, the term ''CMS subsystem'' is used.
Dogtag 10.0 introduced ability to host multiple subsystems within a single instance by hosting the subsystems' HTTP interfaces at different paths. How this change was carried out might inform and influence the sub-CA change.
See Top-level Tree.
A design proposal to avoid proliferation of replication agreements, justified by FreeIPA use cases (including lightweight sub-CAs). The proposed change is to enhance pkispawn
to create subsystem databases as subtrees under a top-level tree, such that a single replication agreement can replicate all subsystems.
Ticket for adding support for multiple OCSP signing certificates. Each sub-CA will need its own OCSP signing certificate.
Linux (Fedora, RHEL, Debian).
The ''features'' facility shall be used to enable or disable the ''creation'' of lightweight CAs. The relevant configuration in CS.cfg
shall be:
features.authority.description=Lightweight CAs features.authority.enabled=true features.authority.version=1.0
Instances shall default to enabling the creation of lightweight CAs.
The pkispawn(8)
configuration format should be updated to provide a way to control this configuration when deploying an instance.
There are no special provisions for cloning. Lightweight CA signing keys shall be replicated via the KeyReplicator
mechanism described previously.
Several web templates have been updated and these updates will need to be deployed on existing instances by pki-server-upgrade(8)
.
-
Secure key/secret replication service.
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |