You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by "István Fajth (Jira)" <ji...@apache.org> on 2022/10/14 21:33:00 UTC

[jira] [Created] (HDDS-7334) Rotation and revocation for CA certificates

István Fajth created HDDS-7334:
----------------------------------

             Summary: Rotation and revocation for CA certificates
                 Key: HDDS-7334
                 URL: https://issues.apache.org/jira/browse/HDDS-7334
             Project: Apache Ozone
          Issue Type: Improvement
          Components: Security
            Reporter: István Fajth
            Assignee: István Fajth


Once we have support for certificate revocation, and renewal, we need to also support revoking and renewal of CA certificates at any level.
In order to achieve this, we need to:
- implement rotation logic for subordinate CA certificates
- implement rotation of the root CA certificate (tricky, as there will be periods of time, while there are more than one root CA which is valid)
- implement revocation logic for CA certificates, this requires to revoke all certificates that are inheriting trust from this CA
- implement root CA revocation, which effectively means a possibly live rebootstrap of the whole PKI, and the update of all the truststores used within Ozone services




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org