[HDDS-7393] Root CA certificate revocation - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: Security
Labels:
- pki

Description

Revoking the root CA certificate effectively means the system has to re-create all certificates used internally, and with that it is a tedious process.

Prerequisite for this task is to have all the certificate rotation logic implemented, but in case of revocation we need to do the process in an expedited way within just a few hours tops without causing impacts to the service.

The procedure should involve a few things:

at start a new root CA certificate has to be created, and similarly as when the root CA certificate is being rotated, new subordinate CA certificates have to be created and rotated in
as the next step all certificates in the system has to be revoked, and renewed during the default grace period within which the certificates are renewed after revocation
once all the certificates are renewed, the old subordinate CA certificates and the rootCA certificate has to be revoked as well
once the services notice the revocation of the old rootCA certificate, the old rootCA certificate has to be removed from the trust stores of active and to be created connections

Attachments

Activity

People

Assignee:: István Fajth

Reporter:: István Fajth

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24/Oct/22 11:45

Updated:: 10/May/23 13:14