I’d suggest taking a look at using Dogtag[1] as well. Actually, that’s what the Other Guys also suggest[2].
1: http://pki.fedoraproject.org/wiki/PKI_Main_Page <http://pki.fedoraproject.org/wiki/PKI_Main_Page> 2: https://wiki.openstack.org/wiki/PKI <https://wiki.openstack.org/wiki/PKI> > On Apr 14, 2017, at 7:57 AM, Simon Weller <swel...@ena.com> wrote: > > Daan, > > > What about integrating some like Vault (https://github.com/hashicorp/vault > <https://github.com/hashicorp/vault>)? > > > - Si > > ________________________________ > From: Daan Hoogland <daan.hoogl...@shapeblue.com > <mailto:daan.hoogl...@shapeblue.com>> > Sent: Friday, April 14, 2017 5:46 AM > To: dev@cloudstack.apache.org <mailto:dev@cloudstack.apache.org> > Subject: [DISCUSS][PROPOSAL] CA authority plugin definition > > Devs, > > Following a discussion with a client they came up with the idea to create a > pluggable CA-framework. A plugin would serve components in cloudstack that so > require (management servers, agents, load balancers, SVMs, etc.) with > certificates answering certificate requests and validating certificates on > request. > > A default plugin can be written that serves according to its own self signed > root certificate and have its own revocation list to be managed by the admin. > Other plugin could forward by mail or web requests to external parties. > > A CA-plugin will have to > > - Setup, for the default this means creating its certificate, for > others it might mean install an intermediate certificate or configure a mail, > or website address. > > - Accept and answer certificate requests > > o For client certificates > > o For server certificates > > - Accept revocation requests > > - Validate a connection request according to origin and certificate > and <extra data>. What extra data is is defined by the plugin and can be > credentials or field-definitions referring the x509 entries or for instance > port numbers allowed… this is basically free to the implementer. > > A next step will have to be integrating the request calls with installs on > targets but I think as is this feature merits itself as it could be used with > out of band configuration management tools as well. > > Any thoughts, remarks and critiques are welcome, > > daan.hoogl...@shapeblue.com > www.shapeblue.com <http://www.shapeblue.com/><http://www.shapeblue.com > <http://www.shapeblue.com/>> > Shapeblue - The CloudStack Company<http://www.shapeblue.com/ > <http://www.shapeblue.com/>> > www.shapeblue.com <http://www.shapeblue.com/> > Background Cloudstack relies on a fixed download site when it fetches the > built-in guest VM templates. That download site has historically > > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue
