Allow importing an existing delegated child CA from another CA instance or even CA implementation so that a (parent) CA can migrate to a new CA instance in Krill without interrupting the child.
For this to work, we should:
[x] import a delegated CA
[x] accept the same ID cert
[x] learn the last issued cert(s) (public key in particular)
[x] set resources for the import CA (should not change)
[x] override resource class name to use for delegated CA (should not change for child)
[x] proactively reissue all certificates
[x] keep public key
[x] keep SIA entries
[x] let the delegated CA import the parent ID
[x] update parent response (already supported in Krill)
[x] Let the delegated CA request a new certificate
[x] already done in Krill child
[x] use overridden resource class name for child (if applicable)
[x] automate testing
[x] support in API for one-off / later
[x] support export child (to support testing, and allow other migrations in future)
timbru
commented
9 months ago
Allow importing an existing delegated child CA from another CA instance or even CA implementation so that a (parent) CA can migrate to a new CA instance in Krill without interrupting the child.
For this to work, we should:
[x] import a delegated CA
[x] proactively reissue all certificates
[x] let the delegated CA import the parent ID
[x] Let the delegated CA request a new certificate
[x] automate testing
[x] support in API for one-off / later
[x] support export child (to support testing, and allow other migrations in future)