Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS PC + service generated #436

Open
sabixx opened this issue Mar 13, 2024 · 3 comments
Open

TLS PC + service generated #436

sabixx opened this issue Mar 13, 2024 · 3 comments
Labels
enhancement New feature or request

Comments

@sabixx
Copy link
Contributor

sabixx commented Mar 13, 2024

BUSINESS PROBLEM
End users are not informed about the policies set in TLS PC. Currently, they must verify that all CSRs, both local and service, adhere to the specified policy. This issue is not limited to a one-time setup occurrence. Whenever there is a change in policy, it is necessary to update all endpoints to meet the new policy requirements.

PROPOSED SOLUTION
Whether a Certificate Signing Request (CSR) is designated as local or service, vcert should pull the policy and generate the CSR accordingly, eliminating the need for local definition. This approach would provide centralized policy control and simplify the process for end users particular when policies change

CURRENT ALTERNATIVES
modifying the requests, which can mean touching lots of endpoints to match the (new) policy.

VENAFI EXPERIENCE
felt in love with Venafi in 2016

@sabixx sabixx added the enhancement New feature or request label Mar 13, 2024
@luispresuelVenafi
Copy link
Contributor

Could you elaborate more? Is this for using VCert CLI along with local configuration file? Could you provide an example of what you are expecting?

@sabixx
Copy link
Contributor Author

sabixx commented Apr 9, 2024

When using a playbook file with the following settings in a playbook:

request:
  csr: service
  subject:
    commonName: '{{ Hostname | ToLower -}}.{{- Env "USERDNSDOMAIN" | ToLower }}'
    country: US
    locality: Salt Lake City
    state: Utah
    organization: Venafi Inc
    orgUnits:
      - engineering
      - marketing

TLS PC will reject this request if it's not compliant with the policy (e.g. OU does not match), even if it's set to service generated. The behavior of TPP is more admin & user-friendly as TPP will enforce the policy. It enables to enforce and make changes to a policy without breaking all existing playbooks.
It should be possible to make changes on the Issuing Template in TLS PC and enforce new settings without breaking existing playbooks.

@BeardedPrincess
Copy link
Collaborator

@sabixx

I think the challenge here is how to handle the fact that a Certificate Issuance Template on TLSPC can be very different than TPP. There is no concept of "locked", and you can also supply multiple criteria that are OR'd together. These can also be regex. Take this use case for example: What would vCert set the Organization to if the user did not provide it?

2024-04-09_07-53-08

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants