Uploaded image for project: 'Ansible Automation Platform RFEs'
  1. Ansible Automation Platform RFEs
  2. AAPRFE-2692

Summary: Add support for ECDSA P-384 / P-521 certificates in application-gateway-proxy

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      1. What is the nature and description of the request?

        The application-gateway-proxy component in Ansible Automation Platform fails to load ECDSA certificates with certificates stronger than P-256 due to the version of Envoy (Istio) it is shipped with. When attempting to use a corporate-required ECDSA P-384 certificate, the proxy reports the following error on startup:

       

       

       Failed to load certificate chain from /etc/ansible-automation-platform/gateway/gateway.crt, only P-256 ECDSA certificates are supported.

       

       

       

      This issue comes from the fact that the currently bundled Envoy version (1.28.x) only supports ECDSA P-256. Support for stronger certificates such as P-384 and P-521 was introduced in Envoy 1.33.x.

        The request is to enhance application-gateway-proxy to support ECDSA P-384 and P-521 certificates so that modern, secure TLS configurations mandated by corporate security policies can be used without errors.

      2. Why does the customer need this? (List the business requirements here)

       * Mandatory Security Compliance: Corporate security policy requires use of ECDSA P-384 certificates for TLS.
       * Production Readiness: Without support for required ECDSA certificates, the customer must either obtain a security exception or downgrade to the weaker ones (e.g., P-256) that are not compliant with policy.
       * Deployment Blocker: Because the proxy fails to start with stronger ECDSA certificates, this blocks production deployments that must align with security requirements.

      3. How would you like to achieve this? (List the functional requirements here)

       * Upgrade or patch the application-gateway-proxy component to use a version of Envoy that supports stronger ECDSA certificates (i.e., P-384 and P-521).
       * Ensure the proxy’s TLS certificate loading logic accepts and correctly processes ECDSA P-384 and P-521 certificates without error.
       * Add automated test coverage for supported ECDSA certificates to prevent regressions.
       

      4. List any affected known dependencies: Doc, UI etc..

        * Documentation: TLS certificate requirements in proxy and gateway documentation will need updating to reflect support for additional ECDSA certificates.
        * Proxy Component: application-gateway-proxy dependency on a specific Envoy version (current: 1.28.x)
        * CI/CD / Testing: Test frameworks that verify supported certificate types.
        * User Experience: Error messaging and troubleshooting guides may require updates.

      5. Github Link if any

              rh-ee-rreed Ron Reed
              rhn-support-bkramer1 Biljana Kramer
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: