Enhanced PKI Demo

[micahlee]

Aha Epic

Overview

A Public Key Infrastructure (PKI) is an effective mechanism for flexible and robust authentication and authorization at scale.

Digital certificate signing capabilities in Conjur allow security, operations, and development teams to leverage PKI in their software systems, using the existing Conjur infrastructure for policy and devops practices.

The Conjur Demo suite for PKI should showcase the use of Digital Certificates and Conjur Certificate Signing for the following use cases:

• Issuing Server SSL Certificate for HTTPS
• SSH Client Authentication using signed SSH Certificates
• SSH Host Authentication using signed SSH Host Certificates
• Client Authentication to a service (e.g. Postgres) using signed client certificates

The demo suite should be expanded beyond mutual TLS. This issue captures the work for defining exactly what use cases should be covered, and what product enhancements they might require.

Tasks

Required for Demo:

• [ ] Parent of #923 - Conjur Certificate Authorities support signing SSH RSA public keys in PEM format.
• [ ] Parent of #943 - Conjur Certificate Authorities support signing children certificate authorities (cA=true)
• [ ] Conjur Certificate Authorities support configurable certificate extensions
  • Examples: SANs, Usage, etc.
  • Many of these will also require annotations on the CA and/or requestor role to control this behavior. (For example, a host should be explicitly permitted to request certificates with particular SANs).

Nice to haves:

• [ ] Conjur CA generate their own private keys automatically
• [ ] Conjur Certificate Authorities have an endpoint to retrieve the CA X.509 certificate in PEM format.
• [ ] Conjur Certificate Authorities have an endpoint to retrieve the CA public key in OpenSSH format.
• [ ] Conjur Certificate Authorities support signing SSH RSA public keys in OpenSSH format.
• [ ] Conjur Certificate Authorities support signing SSH ECDSA public keys in OpenSSH format
• [ ] Explore (possible) connection to existing public_keys api endpoint

Other considerations:

• [ ] #842 - PKI Service Generates Valid Certificates
• [x] Unify code path with K8s authenticator
• [x] Change ca/certificate-chain annotation to just be ca/certificate

[jvanderhoof]

Enhanced PKIaaS Demo.pdf

[shaharglazner]

@micahlee The Aha! link is broken :(

[micahlee]

@shaharglazner I'm actually not sure who added that link. I also don't have access to Aha!.