Skip to content
This repository was archived by the owner on Apr 6, 2026. It is now read-only.

Certs - Add intermediate CA, CA rotation and CRL#17

Merged
dborovcanin merged 13 commits into
absmach:mainfrom
nyagamunene:certs-5
Sep 25, 2024
Merged

Certs - Add intermediate CA, CA rotation and CRL#17
dborovcanin merged 13 commits into
absmach:mainfrom
nyagamunene:certs-5

Conversation

@nyagamunene

Copy link
Copy Markdown
Contributor

What type of PR is this?

This is a feature because it adds the following functionality: it adds intermediate CA, CA rotation and CRL.

What does this do?

It adds intermediate CA, CA rotation and CRL for improvement of the PKI.

Which issue(s) does this PR fix/relate to?

Have you included tests for your changes?

Yes

Did you document any new/modified features?

No

Notes

@nyagamunene nyagamunene self-assigned this Sep 16, 2024
@nyagamunene nyagamunene marked this pull request as ready for review September 17, 2024 08:48
Comment thread service.go
// The certificate is then stored in the repository using the CreateCert method.
// If the root CA is not found, it returns an error.
func (s *service) IssueCert(ctx context.Context, entityID, ttl string, ipAddrs []string) (string, error) {
func (s *service) IssueCert(ctx context.Context, entityID, ttl string, ipAddrs []string, options SubjectOptions) (string, error) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When issuing a certifcate ideally, the user would pass a CSR and this would be with CA to create the certificate. Also in which cases do you use root ca and in which do you use intermediate, ideally, intermediate CAs would be used to distinguish orgnaizations/ workspaces

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can add the CSR feature for the user when issuing certs. I can search on how it needs to be implemented.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From how I understood it the root CA are generally not used to sign the users certificated directly. So intermediate certs are normally used signed with root CA then they are used to issue client certificates.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's keep intermediate cert instead of root CA. @SammyOina Please re-review with this in mind, and @nyagamunene you can send another PR for CSR.

Comment thread service.go Outdated
Comment thread service.go Outdated
Comment thread service.go
Comment on lines +541 to +594
newRootCA, err := s.generateRootCA(ctx)
if err != nil {
return err
}
s.rootCA = newRootCA
newIntermediateCA, err := s.createIntermediateCA(ctx, newRootCA)
if err != nil {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how long does it take intermediate ca to expire compared to root ca

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As implemented right now they take the same time.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

root should be long lasting than intermediate

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay then let me implement that.

@nyagamunene nyagamunene force-pushed the certs-5 branch 2 times, most recently from 8b93d43 to 2364a43 Compare September 23, 2024 09:53
Comment thread postgres/init.go Outdated
revoked BOOLEAN,
expiry_time TIMESTAMP,
entity_id VARCHAR(36),
type INT,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you enumerate type

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
@dborovcanin dborovcanin merged commit 0f074e3 into absmach:main Sep 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

Feature: Add support for intermidiate CAs, CA rotation and CRL (Certificate Revocation List) generation

3 participants