Uploaded image for project: 'AMQ Streams'
  1. AMQ Streams
  2. ENTMQST-869

Provide a facility AMQ Streams to integrate with an external CA

XMLWordPrintable

      From the customer case notes:
      ----------------------------------------------------------
      Currently Strimzi manages two PKIs, one for certificates dedicated to internal connections and one for certificates dedicated to connections coming from clients.
      For both of these PKIs you can let strimzi generate a new RootCA or supply an intermediate CA, presumably signed by the customer's CA.

      Both of these two options are not ideal:
      1. RootCA option for external certificates is extremely inconvenient because now all clients need to import the new ca bundle.
      2. intermediate CA option is for both PKIs extremely insecure because if the intermediate CA is compromised the entire customer network is compromised[2].

      Ideally Strimzi would integrate with an external CA via an API and get the certificates it needs that way. We are currently migrating to Vault as our CA so that is one possible solution.

      Another option is integrating with an operator that is in charge of creating certificates for applications running in the cluster. This operator would then deal with the intricacies of the certificate request processes and potentially support multiple CA implementations. This operator happens to already exist: cert-manager[1].

      Our request is that one of these two options is implemented to allow more customization to the way organizations approach their security requirements.

      [1]: https://github.com/jetstack/cert-manager
      [2]: https://blog.openshift.com/considerations-on-openshift-pkis-and-certificates/
      ----------------------------------------------------------

              Unassigned Unassigned
              rhn-support-cmondesi Colin Mondesir (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: