Automated Certificate Renewal
Registered by
Ade Lee
Daemons like certmonger can be used to track the status of a certificate and request its renewal when it is close to expiring. In this case, though, there is no keystone token to authorize the request.
One way we could do this is by providing an endpoint that would be protected by client certificate authentication. The client (certmonger for instance) would present the certificate to be renewed as authentication in a client certificate authenticated TLS session. This would establish possession of the private key.
Barbican would terminate the connection and would initiate a renewal request if the cert mapped to a Barbican issued cert. (presumably through the fingerprint).
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Ade Lee
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- New
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
Related branches
Related bugs
Sprints
Whiteboard
(?)