diff options
author | Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com> | 2021-06-29 16:15:49 +0200 |
---|---|---|
committer | Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com> | 2021-09-06 10:42:00 +0200 |
commit | 31dceea4851d67ec706185f9d6f5bd0bf427b2c3 (patch) | |
tree | c66e3b75b83cb4ef6f5aff7d81bbcb0c02f0145b /kubernetes/contrib/components/ejbca | |
parent | f94a5f639cb670fbc4d3902f80d3b5b6714b1ec6 (diff) |
[CONTRIB] Introduce certificate update use case in CertService
1. Make changes in order to allow performing KUR/CR in EJBCA:
- Add Certificate Update Admin role
- Enable EndEntityAuthentication module
- Create and set CA with constant UID
- Add configuration for provider.
2. Update CertService, which provides with new certificate update
endpoint.
3. Update release-notes.
Issue-ID: OOM-2753
Issue-ID: OOM-2754
Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>
Change-Id: I9cb0cb4d6d6939ad229a4ea254f2bc35d45a3d52
Signed-off-by: Joanna Jeremicz <joanna.jeremicz@nokia.com>
Diffstat (limited to 'kubernetes/contrib/components/ejbca')
3 files changed, 28 insertions, 1 deletions
diff --git a/kubernetes/contrib/components/ejbca/requirements.yaml b/kubernetes/contrib/components/ejbca/requirements.yaml index 31db08aa3a..8762d969f9 100644 --- a/kubernetes/contrib/components/ejbca/requirements.yaml +++ b/kubernetes/contrib/components/ejbca/requirements.yaml @@ -26,3 +26,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: cmpv2Config + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh index ad10240b94..2c672e2f07 100755 --- a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh +++ b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh @@ -8,16 +8,31 @@ waitForEjbcaToStart() { } configureEjbca() { + ejbca.sh ca init \ + --caname ManagementCA \ + --dn "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345" \ + --tokenType soft \ + --keyspec 3072 \ + --keytype RSA \ + -v 3652 \ + --policy null \ + -s SHA256WithRSA \ + -type "x509" ejbca.sh config cmp addalias --alias cmpRA ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value ${RA_IAK} - ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe + ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value signature + ejbca.sh config cmp updatealias --alias cmpRA --key authenticationmodule --value 'HMAC;EndEntityCertificate' + ejbca.sh config cmp updatealias --alias cmpRA --key authenticationparameters --value '-;ManagementCA' + ejbca.sh config cmp updatealias --alias cmpRA --key allowautomatickeyupdate --value true #Custom EJBCA cert profile and endentity are imported to allow issuing certificates with correct extended usage (containing serverAuth) ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles #Profile name taken from certprofile filename (certprofile_<profile-name>-<id>.xml) ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER #ID taken from entityprofile filename (entityprofile_<profile-name>-<id>.xml) ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849 + caSubject=$(ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout | grep 'Subject' | sed -e "s/^Subject: //" | sed -n '1p') + ejbca.sh config cmp updatealias --alias cmpRA --key defaultca --value "$caSubject" ejbca.sh config cmp dumpalias --alias cmpRA ejbca.sh config cmp addalias --alias cmp ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true @@ -27,6 +42,13 @@ configureEjbca() { ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN ejbca.sh config cmp dumpalias --alias cmp ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem + #Add "Certificate Update Admin" role to allow performing KUR/CR for certs within specific organization (e.g. Linux-Foundation) + ejbca.sh roles addrole "Certificate Update Admin" + ejbca.sh roles changerule "Certificate Update Admin" /ca/ManagementCA/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /ca_functionality/create_certificate/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /endentityprofilesrules/Custom_EndEntity/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /ra_functionality/edit_end_entity/ ACCEPT + ejbca.sh roles addrolemember "Certificate Update Admin" ManagementCA WITH_ORGANIZATION --value "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}" } diff --git a/kubernetes/contrib/components/ejbca/templates/deployment.yaml b/kubernetes/contrib/components/ejbca/templates/deployment.yaml index 46f7d3521c..fc163ee2e2 100644 --- a/kubernetes/contrib/components/ejbca/templates/deployment.yaml +++ b/kubernetes/contrib/components/ejbca/templates/deployment.yaml @@ -61,6 +61,8 @@ spec: env: - name: INITIAL_ADMIN value: ";PublicAccessAuthenticationToken:TRANSPORT_ANY;" + - name: NO_CREATE_CA + value: "true" - name: DATABASE_JDBC_URL value: jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ .Values.mysqlDatabase }} - name: DATABASE_USER |