You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "István Fajth (Jira)" <ji...@apache.org> on 2022/10/24 15:26:00 UTC
[jira] [Updated] (HDDS-7393) Root CA certificate revocation
[ https://issues.apache.org/jira/browse/HDDS-7393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
István Fajth updated HDDS-7393:
-------------------------------
Parent: (was: HDDS-7334)
Issue Type: Improvement (was: Sub-task)
> Root CA certificate revocation
> ------------------------------
>
> Key: HDDS-7393
> URL: https://issues.apache.org/jira/browse/HDDS-7393
> Project: Apache Ozone
> Issue Type: Improvement
> Reporter: István Fajth
> Assignee: István Fajth
> Priority: Major
>
> Revoking the root CA certificate effectively means the system has to re-create all certificates used internally, and with that it is a tedious process.
> Prerequisite for this task is to have all the certificate rotation logic implemented, but in case of revocation we need to do the process in an expedited way within just a few hours tops without causing impacts to the service.
> The procedure should involve a few things:
> - at start a new root CA certificate has to be created, and similarly as when the root CA certificate is being rotated, new subordinate CA certificates have to be created and rotated in
> - as the next step all certificates in the system has to be revoked, and renewed during the default grace period within which the certificates are renewed after revocation
> - once all the certificates are renewed, the old subordinate CA certificates and the rootCA certificate has to be revoked as well
> - once the services notice the revocation of the old rootCA certificate, the old rootCA certificate has to be removed from the trust stores of active and to be created connections
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org