search

intel / trusted-certificate-issuer

Trusted Certificate Service (TCS) is a K8s service to protect signing keys using Intel's SGX technology. K8s CSR and cert-manager CR APIs are both supported. TCS also contains integration samples for Istio service mesh and Key Management Reference Application (KMRA).
Apache License 2.0
29 stars 15 forks source link

Extend the self-signed issuer to configure key type and certificate details #6

Open avalluri opened 2 years ago

avalluri commented 2 years ago

Current implementation chooses the RSA key and its own certificate parameters for a self-signed issuer. Admin should be to choose CA private key type and size, and the certificate parameters like subject, duration, DNS names etc.,

Extend the Issuer spec to accommodate key and certificate parameters and consider them while provisions the self-signed issuer.

Sample self-signed issuer would look like:

apiVersion: tcs.intel.com/v1alpha1
kind: TCSIssuer
metadata:
    name: my-ca
    namespace: sandbox
spec:
    secretName: my-ca-cert
    selfSigned:
      privateKey:
        algorithm: RSA // or ECDSA
        size: 3072
      certificate:
        duration: 3650d
        renewBefore: 10d
        commonName: test-name
        dnsNames: [ "www.test-name.com" ]