feature: Support server/client CSR-signing workflow
Bug #1864495 reported by
Dmitrii Shcherbakov
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| vault-charm |
Triaged
|
Wishlist
|
Unassigned | ||
Bug Description
Currently certs and keys are generated at the vault-charm side and sent over relation data.
There is no way to support a workflow where each unit that uses vault passes a CSR over a relation and gets a certificate back so that the key is never sent over relation data.
Although sending keys over relation data is secure between units, if a unit gets compromised, it will be able to read keys of other units.
charm-vault uses an API call to generate both a key and cert:
https:/
while it could just sign CSRs:
https:/
| Changed in vault-charm: | |
| status: | New → Triaged |
| importance: | Undecided → Wishlist |
To post a comment you must log in.
