You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by "István Fajth (Jira)" <ji...@apache.org> on 2022/10/24 11:46:00 UTC

[jira] [Created] (HDDS-7393) Root CA certificate revocation

István Fajth created HDDS-7393:
----------------------------------

             Summary: Root CA certificate revocation
                 Key: HDDS-7393
                 URL: https://issues.apache.org/jira/browse/HDDS-7393
             Project: Apache Ozone
          Issue Type: Sub-task
            Reporter: István Fajth
            Assignee: István Fajth


Revoking the root CA certificate effectively means the system has to re-create all certificates used internally, and with that it is a tedious process.

Prerequisite for this task is to have all the certificate rotation logic implemented, but in case of revocation we need to do the process in an expedited way within just a few hours tops without causing impacts to the service.

The procedure should involve a few things:
- at start a new root CA certificate has to be created, and similarly as when the root CA certificate is being rotated, new subordinate CA certificates have to be created and rotated in
- as the next step all certificates in the system has to be revoked, and renewed during the default grace period within which the certificates are renewed after revocation
- once all the certificates are renewed, the old subordinate CA certificates and the rootCA certificate has to be revoked as well
- once the services notice the revocation of the old rootCA certificate, the old rootCA certificate has to be removed from the trust stores of active and to be created connections



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org