[Freeipa-devel] [DESIGN] Sub-CAs; authenticating to Custodia
Fraser Tweedale
ftweedal at redhat.com
Thu Apr 7 06:43:29 UTC 2016
Hi team,
I updated the Sub-CAs design page with more detail for the key
replication[1]. This part of the design is nearly complete (a large
patchset is in review over at pki-devel@) but there are various
options about how to authenticate to Custodia.
[1] http://www.freeipa.org/page/V4/Sub-CAs#Key_replication
In brief, the options are:
1) authenticate as host principal; install binary setuid
root:pkiuser to read host keytab and custodia keys.
2) authenticate as host principal; copy host keytab and custodia
keys to location readable by pkiuser.
3) create new principal for pkiuser to use, along with custodia keys
and keytab in location readable by pkiuser.
I prefer option (1) for reasons outlined in the design page. The
design page goes into quite a bit more detail so please review the
section linked above and get back to me with your thoughts.
Cheers,
Fraser
More information about the Freeipa-devel
mailing list