On Thu, 23 Apr 2015 22:01:06 +0300
Ali Khalidi <ali.elkhalidi(a)gmail.com> wrote:
Hi everyone,
An instance of DogTag 10.1.2 is currently available at
209.132.184.223.
Cool. Thanks for setting this up!
Looks pretty simple to install actually. Much better than I was
fearing.
We're in the process of fleshing-out a list of testing
scenarios/requirements on how to integrate this within
fedora-infrastructure (fedora-cert, etc.) and explore if its going to
benefit us.
So, if you think this will touch your work/system, benefit it, we
would very much like to hear your thoughts.
So, here's our current use cases for ssl certs:
Primary: Koji build system
fedora-cert is the command line tool to validate and get a new cert.
Anytime a cert is issued to a user, all previous certs for that user
are revoked.
certs are good for 6 months.
Additionally we have to issue certs to all the koji builders (as
thats how they also authenticate to the hub).
I'm hazy on if the koji hub needs just to validate certs are signed
by the right ca, or if it needs anything more. Perhaps Dennis can
chime in here.
So, the questions here: can we interface dogtag to fedora-cert?
Can we set certs to expire after 6 months? Can we make dogtag only
allow one valid cert at a time for a user? Can we issue certs to
arbitrary names like buildvm-01.phx2.fedoraproject.org?
Secondary use cases:
Currently we have 2 things that use their own CA/Cert setup, fedmsg and
openvpn.
Does dogtag let you do multiple CAs? I'm not sure we would want these
to be under the main fedora one, but perhaps thats ok. I'm not sure if
there's really that much advantage to moving these from the current
system, but still pondering on the idea.
kevin