Menu
▾
▴
Re: [OpenXPKI-users] Fully automatic CA Rollover
|
From: Martin B. <vc...@cy...> - 2010-03-22 16:34:07
|
Hi Scott, > Just so I understand it correctly, the configuration (token.xml and config.xml) must be updated manually each time a new certificate is created, thus preparing for the next rollover. This implies that the "Fully Automatic CA Rollover" isn't actually fully automatic, but that OpenXPKI's choice of which certificate to use is fully automatic. Currently, yes. But it's automatic in a sense that YOU decide when you change the configuration: you pick your maintenance window, restart the PKI and it first continues to use the same issuing CA certificate. But during that maintenance window you have prepared the CA to roll over to the next certificate when it's due according to The Grand PKI schedule. Your Grand PKI Schedule often is not related to your system maintenance windows, and administrators hate it if they have to implement a change request on 2011-01-01 00:00 just because some PKI staff member decided that the beginning of the year would be a cool time to roll over CA certificates. Not so with conventional CAs. If you wish to stick closely to the PKI schedule, you need to plan a maintenance windows for the PKI system on the exact date you are planning the rollover to happen. I think our approach is better (though not ideal, I agree). > I may be wrong, but from a usability standpoint, it would be kind of sexy if something like this could be managed right in the UI. I picture a list of the known Issuing CA certificates, perhaps with expired ones filtered out. Then, there would be an option/button for creating or adding a new certificate without having to edit the XML files directly. It would help to have these data items stored in the datapool rather than in XML, though. > > I know that putting such important changes into a GUI won't make auditors happy, but if a strict MVC design is followed, a CLI could also provide access to this feature. I think the OpenXPKI project would benefit from both: sexiness for those that aren't as paranoid and CLI for those that are. Alas, nothing can be checked into GIT better than an XML file, which is probably what makes an auditor happiest. Nice idea, and this would certainly be sexy. When we originally designed OpenXPKI we deliberately decided against including GUI management of CA infrastructure keys and certificates. The reasons were - these operations are rarely needed (initial setup, then once every few years) - whenever you wish to modify your CA configuration you normally want to do this in a controlled way, i. e. typically via the command line. - implementing the GUI for these features is (currently) complicated and we decided the effort was not worth the benefit of easier CA configuration. I understand that this makes it harder for new users to get OpenXPKI running in the first place... Once we have integrated the data pool feature (*) properly we can implement a "reference datapool value by key mechanism" to be accessible in the configuration. This would allow the administrator to offload some of the configuration from the XML file to the database. The administrator could also control which parts of the configuration should be fixed in written XML and which parts should be configurable through database manipulation. Once this feature is implemented, I think we could think about adding a method of manipulating the data pool entries via the web frontend, at least for some reserved entries related to the CA rollover feature. We could then easily provide a web frontend for manipulating these entries by the administrator. But before this we badly need another feature: Automatically extract parts from the actually used issuing CA subject name to be included as a variable in the configuration (e. g. via a regex match). This would eliminate the need to update the configuration for CDPs when a rollover happens. Currently the CDP contains hardcoded URIs - once the CA changes they are no longer up-to-date. (*) I will explain the data pool feature on the list soon, but some documentation is already available at http://wiki.openxpki.org/index.php/Development/Data_Pools Cheers Martin -- Cynops GmbH Dipl.-Ing. Martin Bartosch http://www.cynops.de Kirchgasse 10c mobile: +49 (0)172 6614304 mail: in...@cy... 61449 Steinbach/Ts. fon: +49 (0)6171 6981803 fax: +49 (0)6171 6981809 Geschäftsführer: Martin Bartosch USt-IdNr: DE 213094986 HRB 7833 Amtsgericht Bad Homburg v. d. Höhe |
