search

Venafi / vcert

Go client SDK and command line utility designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.
https://support.venafi.com/hc/en-us/articles/217991528
Apache License 2.0
88 stars 64 forks source link

TLS PC + service generated #436

Open sabixx opened 6 months ago

sabixx commented 6 months ago

BUSINESS PROBLEM End users are not informed about the policies set in TLS PC. Currently, they must verify that all CSRs, both local and service, adhere to the specified policy. This issue is not limited to a one-time setup occurrence. Whenever there is a change in policy, it is necessary to update all endpoints to meet the new policy requirements.

PROPOSED SOLUTION Whether a Certificate Signing Request (CSR) is designated as local or service, vcert should pull the policy and generate the CSR accordingly, eliminating the need for local definition. This approach would provide centralized policy control and simplify the process for end users particular when policies change

CURRENT ALTERNATIVES modifying the requests, which can mean touching lots of endpoints to match the (new) policy.

VENAFI EXPERIENCE felt in love with Venafi in 2016

luispresuelVenafi commented 5 months ago

Could you elaborate more? Is this for using VCert CLI along with local configuration file? Could you provide an example of what you are expecting?

sabixx commented 5 months ago

When using a playbook file with the following settings in a playbook:

request:
  csr: service
  subject:
    commonName: '{{ Hostname | ToLower -}}.{{- Env "USERDNSDOMAIN" | ToLower }}'
    country: US
    locality: Salt Lake City
    state: Utah
    organization: Venafi Inc
    orgUnits:
      - engineering
      - marketing

TLS PC will reject this request if it's not compliant with the policy (e.g. OU does not match), even if it's set to service generated. The behavior of TPP is more admin & user-friendly as TPP will enforce the policy. It enables to enforce and make changes to a policy without breaking all existing playbooks. It should be possible to make changes on the Issuing Template in TLS PC and enforce new settings without breaking existing playbooks.

BeardedPrincess commented 5 months ago

@sabixx

I think the challenge here is how to handle the fact that a Certificate Issuance Template on TLSPC can be very different than TPP. There is no concept of "locked", and you can also supply multiple criteria that are OR'd together. These can also be regex. Take this use case for example: What would vCert set the Organization to if the user did not provide it?

2024-04-09_07-53-08