-
Epic
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
Improve CA cert rotation
-
False
-
-
False
-
OSPRH-4567TLSe improvements
-
Not Selected
-
Proposed
-
Proposed
-
To Do
-
OSPRH-4567 - TLSe improvements
-
Proposed
-
Proposed
-
-
Most of the services use the CA bundle to validate certificates, but there are some service, e.g. qemu and ovn which have a dedicated CA and the services (libvirt,qemu) one use the specific CA certificate for validation to not allow connections with client certs from other CAs.
During CA cert rotation the old, and the new CA cert is valid. Those services would required a special use case bundle to be able to trust the old and the new CA (at least for some time).