Goal

MicroShift currently creates  a total of 12 CAs, 10 client certs, 6 serving certs and 2 peer certs. Most CAs have a validity period of 10y, and most of the other certificates have a validity time of 1 year.

Goal of this initiative is to consolidate this down to a reasonable amount.

• one CA (or maybe 3, one for clients, one for serving certs, one for peers)
• reduce the number of serving certs - could we go down to one with SAN entries for the different components?
• reduce the number of peer certs - maybe only one with SAN entries?
• Renewal / updates of certs should have a minimal impact to workload, e.g. restart of impacted components on the fly.

Benefit Hypothesis:

Simplification, and probably better security stance due to less private keys flying around. ll

We believe that the result of doing this work will be ...

Resources

Need guidance from ProdSec on best pracises, e.g. number of CAs and certs.