Hi everyone,
An instance of DogTag 10.1.2 is currently available at 209.132.184.223.
The instance is running a CA for fedoraproject.org
a miniHowTO is here: https://doteast.fedorapeople.org/projects/dogtag/dogtag-miniHOWTO.txt
We're in the process of fleshing-out a list of testing scenarios/requirements on how to integrate this within fedora-infrastructure (fedora-cert, etc.) and explore if its going to benefit us.
So, if you think this will touch your work/system, benefit it, we would very much like to hear your thoughts.
dotEast2015,
On Thu, 23 Apr 2015 22:01:06 +0300 Ali Khalidi ali.elkhalidi@gmail.com wrote:
Hi everyone,
An instance of DogTag 10.1.2 is currently available at 209.132.184.223.
Cool. Thanks for setting this up!
The instance is running a CA for fedoraproject.org
a miniHowTO is here: https://doteast.fedorapeople.org/projects/dogtag/dogtag-miniHOWTO.txt
Looks pretty simple to install actually. Much better than I was fearing.
We're in the process of fleshing-out a list of testing scenarios/requirements on how to integrate this within fedora-infrastructure (fedora-cert, etc.) and explore if its going to benefit us.
So, if you think this will touch your work/system, benefit it, we would very much like to hear your thoughts.
So, here's our current use cases for ssl certs:
Primary: Koji build system
fedora-cert is the command line tool to validate and get a new cert.
Anytime a cert is issued to a user, all previous certs for that user are revoked.
certs are good for 6 months.
Additionally we have to issue certs to all the koji builders (as thats how they also authenticate to the hub).
I'm hazy on if the koji hub needs just to validate certs are signed by the right ca, or if it needs anything more. Perhaps Dennis can chime in here.
So, the questions here: can we interface dogtag to fedora-cert? Can we set certs to expire after 6 months? Can we make dogtag only allow one valid cert at a time for a user? Can we issue certs to arbitrary names like buildvm-01.phx2.fedoraproject.org?
Secondary use cases:
Currently we have 2 things that use their own CA/Cert setup, fedmsg and openvpn.
Does dogtag let you do multiple CAs? I'm not sure we would want these to be under the main fedora one, but perhaps thats ok. I'm not sure if there's really that much advantage to moving these from the current system, but still pondering on the idea.
kevin
On Fri, Apr 24, 2015 at 7:09 PM, Kevin Fenzi kevin@scrye.com wrote:
On Thu, 23 Apr 2015 22:01:06 +0300 Ali Khalidi ali.elkhalidi@gmail.com wrote:
Hi everyone,
An instance of DogTag 10.1.2 is currently available at 209.132.184.223.
Cool. Thanks for setting this up!
The instance is running a CA for fedoraproject.org
a miniHowTO is here: https://doteast.fedorapeople.org/projects/dogtag/dogtag-miniHOWTO.txt
Looks pretty simple to install actually. Much better than I was fearing.
We're in the process of fleshing-out a list of testing scenarios/requirements on how to integrate this within fedora-infrastructure (fedora-cert, etc.) and explore if its going to benefit us.
So, if you think this will touch your work/system, benefit it, we would very much like to hear your thoughts.
So, here's our current use cases for ssl certs:
Primary: Koji build system
fedora-cert is the command line tool to validate and get a new cert.
Anytime a cert is issued to a user, all previous certs for that user are revoked.
certs are good for 6 months.
Additionally we have to issue certs to all the koji builders (as thats how they also authenticate to the hub).
I'm hazy on if the koji hub needs just to validate certs are signed by the right ca, or if it needs anything more. Perhaps Dennis can chime in here.
So, the questions here:
I'll answer these questions from the perspective of having two distinct system, then go into measures of integrating the two systems.
- can we interface dogtag to fedora-cert?
Looking at FAS code (both client and server), it looks that fedora-cert primary depends on FAS server to manage the cycle of issuing, validating, and revoking user certificates. This brings the advantage of isolating and abstracting account management (authentication and authorization) and services (cert issue) from the client, and consolidating it to where the user database resides.
First, the account database:
FAS uses postgresql, while dogtag "depends" on 389-ds. dogtag uses the directory to store accounts and uses it for authorizations.
Now, given that we're using FAS as the interface system to the users, the task of certificate management now becomes FAS/dogtag interaction. Additionally, since we're using FAS for authentication and authorization, then this minimizes authentication and authorization requirement to that of a single account that represents FAS, enabling it to perform its operations of cert management.
dogtag has three levels of privileges when it comes to our requirements (there are others, but I'm simplifying matters) : Admin, Agent, and user. the one or interest, and I choose in my testing was an Agent. with this privilege, FAS can authenticate to dogtag, and submit cert enrollment, revoke, renew, and validate (does not need authorization actually) requests on behalf of users and they get auto-approved.
So, to summarize, I suppose that interfacing involves modifying FAS rather than fedora-cert. and looking at FAS code, it seems very doable using the interfaces provided by dogtag to do so: cli tools, REST API, and python stubs. even for cert validation using OCSP, which voids the use of CRLs altogether.
- Can we set certs to expire after 6 months?
in short, yes, this comes out of the box for user certificates. Moreover, one can tailor the certificate as he pleases (validity period for this aspect, as well as others) using certificate profiles and their constrains.
- Can we make dogtag only allow one valid cert at a time for a user?
Yup. FAS uses openssl index file to track certificates. dogtag will be used as a service to search for the user certificate and revoke/renew accordingly.
- Can we issue certs to arbitrary names like buildvm-1.phx2.fedoraproject.org?
if you mean by arbitrary, SANs (SubjectAltName extentions) then yes; also available by default for user certificates, and I don't see why it can not be added to a server issued certificate.
Secondary use cases:
Currently we have 2 things that use their own CA/Cert setup, fedmsg and openvpn.
Does dogtag let you do multiple CAs? I'm not sure we would want these to be under the main fedora one, but perhaps thats ok. I'm not sure if there's really that much advantage to moving these from the current system, but still pondering on the idea.
Well, the way I understand CAs is that they are hierarchical in nature. they establish a "linage" if so to speak. So, if your question is about running multiple CAs in the same instance, then I guess no. But you can have a root CA and a sub-ordinate CA in two seperate instances (jvms) and they will be linked in a chain.
dotEast2015 ;)
kevin
infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
infrastructure@lists.fedoraproject.org
-
Ali Khalidi -
Kevin Fenzi