Feature

There are multiple security regulations that involve certificate management. OpenShift uses internally certificates between services that will never be exposed to the outside.

There are other services the platform provides that are external facing, for which the cert-manager operator can already manage certificates with an external CA.

RHACM along with Hosted Control Planes can also manage the Hosted Clusters certificates via cert-manager in the RHACM hub / management cluster (tgeer@redhat.com to review).

Goals

• Evaluate requirements including:
  • Customers in Telco. Including request to support for the CMPv2 protocol (RFC 4210) for obtaining and managing the lifecycle of the platform certificates.
• Integration with NSA Type 1 encryption external CAs:
  • https://public.cyber.mil/pki-pke/interoperability/
  • https://en.wikipedia.org/wiki/NSA_product_types (This needs a review racedoro@redhat.com, lusanche@redhat.com as it's unclear the requirement or whether OpenShift could already meet the NSA's type 1 criteria)
• Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI): Does OpenShift's management of the platform certificate s comply with ANSSI's guidelines about the use of private CAs with regards to PKI security?
• Does the EU Cybersecurity Act / EU Common Criteria include additional criteria OpenShift is or isn't compliant?