On Thu, 23 Apr 2015 22:01:06 +0300 Ali Khalidi <ali.elkhalidi@xxxxxxxxx> wrote: > Hi everyone, > > An instance of DogTag 10.1.2 is currently available at > 209.132.184.223. Cool. Thanks for setting this up! > The instance is running a CA for fedoraproject.org > > a miniHowTO is here: > https://doteast.fedorapeople.org/projects/dogtag/dogtag-miniHOWTO.txt Looks pretty simple to install actually. Much better than I was fearing. > We're in the process of fleshing-out a list of testing > scenarios/requirements on how to integrate this within > fedora-infrastructure (fedora-cert, etc.) and explore if its going to > benefit us. > > So, if you think this will touch your work/system, benefit it, we > would very much like to hear your thoughts. So, here's our current use cases for ssl certs: Primary: Koji build system fedora-cert is the command line tool to validate and get a new cert. Anytime a cert is issued to a user, all previous certs for that user are revoked. certs are good for 6 months. Additionally we have to issue certs to all the koji builders (as thats how they also authenticate to the hub). I'm hazy on if the koji hub needs just to validate certs are signed by the right ca, or if it needs anything more. Perhaps Dennis can chime in here. So, the questions here: can we interface dogtag to fedora-cert? Can we set certs to expire after 6 months? Can we make dogtag only allow one valid cert at a time for a user? Can we issue certs to arbitrary names like buildvm-01.phx2.fedoraproject.org? Secondary use cases: Currently we have 2 things that use their own CA/Cert setup, fedmsg and openvpn. Does dogtag let you do multiple CAs? I'm not sure we would want these to be under the main fedora one, but perhaps thats ok. I'm not sure if there's really that much advantage to moving these from the current system, but still pondering on the idea. kevin
Attachment:
pgpr2dFUjQbK2.pgp
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
