feature: Support server/client CSR-signing workflow
Bug #1864495 reported by
Dmitrii Shcherbakov
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vault-charm |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
Currently certs and keys are generated at the vault-charm side and sent over relation data.
There is no way to support a workflow where each unit that uses vault passes a CSR over a relation and gets a certificate back so that the key is never sent over relation data.
Although sending keys over relation data is secure between units, if a unit gets compromised, it will be able to read keys of other units.
charm-vault uses an API call to generate both a key and cert:
https:/
while it could just sign CSRs:
https:/
Changed in vault-charm: | |
status: | New → Triaged |
importance: | Undecided → Wishlist |
To post a comment you must log in.