Separate Registration Authority (RA) from Certificate Authority (CA)

[stevenvegt]

Separate Request Authority/discovery service from the actual Certificate Authority. Make the CA unavailable from the public internet, keeping roles apart and private key private.

[reinkrul]

In terms of PKI the current service is both Registration Authority (accepting and validating CSRs) and Certificate Authority (signing certificates). To keep the private key of the CA safe, access (on both network and application level) should be limited to people who are authorised to operate the CA. Otherwise (if the CA is directly accessible from the internet) the CA would pose a very interesting target for attackers who're interested in the CA's private key.

Furthermore: separating the CA role from the discovery service keeps the option open to outsource the issuance of certificates to another tool or certificate vendor.

[stevenvegt]

Can this be achieved by using Vault as backend?

[reinkrul]

Yes, then Vault would act as CA and the discovery service as RA :+1: