You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by "István Fajth (Jira)" <ji...@apache.org> on 2022/10/24 15:26:00 UTC

[jira] [Updated] (HDDS-7393) Root CA certificate revocation

     [ https://issues.apache.org/jira/browse/HDDS-7393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

István Fajth updated HDDS-7393:
-------------------------------
        Parent:     (was: HDDS-7334)
    Issue Type: Improvement  (was: Sub-task)

> Root CA certificate revocation
> ------------------------------
>
>                 Key: HDDS-7393
>                 URL: https://issues.apache.org/jira/browse/HDDS-7393
>             Project: Apache Ozone
>          Issue Type: Improvement
>            Reporter: István Fajth
>            Assignee: István Fajth
>            Priority: Major
>
> Revoking the root CA certificate effectively means the system has to re-create all certificates used internally, and with that it is a tedious process.
> Prerequisite for this task is to have all the certificate rotation logic implemented, but in case of revocation we need to do the process in an expedited way within just a few hours tops without causing impacts to the service.
> The procedure should involve a few things:
> - at start a new root CA certificate has to be created, and similarly as when the root CA certificate is being rotated, new subordinate CA certificates have to be created and rotated in
> - as the next step all certificates in the system has to be revoked, and renewed during the default grace period within which the certificates are renewed after revocation
> - once all the certificates are renewed, the old subordinate CA certificates and the rootCA certificate has to be revoked as well
> - once the services notice the revocation of the old rootCA certificate, the old rootCA certificate has to be removed from the trust stores of active and to be created connections



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org