JinwooHwang commented on code in PR #7989: URL: https://github.com/apache/geode/pull/7989#discussion_r2926399592
########## geode-docs/security/ssl_internal_ca_mtls.html.md.erb: ########## @@ -0,0 +1,216 @@ +--- +title: Internal / Enterprise CA for mTLS +--- + +<!-- +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> + +This page is part of the +[Public CA Client Authentication EKU Mitigation guide](public_ca_client_auth_eku_mitigations.html). +It describes how to use an internal or enterprise Certificate Authority (CA) to +issue client certificates so that <%=vars.product_name%> mutual TLS (mTLS) continues +to work after public CAs cease including the `clientAuth` EKU in publicly-issued +leaf certificates. + +## <a id="ica_summary" class="no-quick-link"></a>Summary + +Operate an internal or enterprise CA to issue client certificates (and optionally +server certificates) for <%=vars.product_name%> mTLS. This removes dependency on +public CA EKU policies, centralizes client identity issuance, and enables +fine-grained lifecycle control (rotation, short-lived certificates, automated +enrollment). + +**When to choose this option:** + +- You can operate or integrate with an internal PKI (self-managed CA, HashiCorp + Vault PKI, Smallstep, Active Directory Certificate Services, or similar). +- You want strong, certificate-based mutual authentication between clients and + servers with full lifecycle control. + +## <a id="ica_topology" class="no-quick-link"></a>Recommended CA Topology + +- **Offline root CA** — kept air-gapped or in cold storage; used only to sign Review Comment: Thank you. Removed 'in'. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
