Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatic periodic CA (key) rollover #9904

Open
10 tasks
Al2Klimov opened this issue Nov 14, 2023 · 1 comment
Open
10 tasks

Automatic periodic CA (key) rollover #9904

Al2Klimov opened this issue Nov 14, 2023 · 1 comment
Labels
area/distributed Distributed monitoring (master, satellites, clients) enhancement New feature or request TBD To be defined - We aren't certain about this yet

Comments

@Al2Klimov
Copy link
Member

Is your feature request related to a problem? Please describe.

At the moment Icinga 2 generates a cluster-wide CA once for a lifetime.
Actually for 14.99 years which, technically speaking, becomes the lifetime of a cluster.

Not a security disaster by itself, but we can do better.

Describe the solution you'd like

Roots. The v2.X.0+ master periodically creates a new CA named Icinga CA %Y, adds it to local trust bundle. For the obvious reason to distrust the existing CA one nice day. The latter excludes cross-signing the existing one. So only cross-signing the new one is an option. Theoretically this would allow issuing with the new CA immediately. And the current certificate distribution mechanism even seems to allow deploying chains with intermediate CAs. But only deploying, not recognising CSRs. 👎 Not w/o #9795. So the master can't just issue X using the new CA without knowing whether all cluster levels between itself and X have at least #9795. Or v2.{X-1}.0+ must have #9795 and is a requirement for all satellites under a v2.X.0+ master. This would even work with current agents as they'd just have to recognise the satellites as such, not their CSRs which #9795 is about. Cross-signing even seems the only option with smooth transition. Otherwise the new CA would be pure spare until the master knows for sure that all nodes also trust it. How? Via another layer of complexity in cluster communication and synchronisation? 👎

Leaves. As the leaf validity is async. with the root validity, there may be old leaves valid for 10y+ not needing renewal. Once the master wants to retire their CA, they do need. I.e. the master forcibly renews certs not issued with the new CA. Another reason to update satellites.

</walloftext>

TL;DR

  • v2.X.0+, satellite
  • v2.{X+1}.0+, master
    • Periodically add a new CA named Icinga CA %Y to trust bundle
    • Cross-sign it with existing one
    • Use resulting cert for issuing leaves (deploy the whole chain down)
    • Retire old CA by oneself one nice day (or let not-valid-after time do its job)
    • Reduce new CAs' validity (optional)

Additional context

The only question is:
Do customer get a problem with the API if the Icinga CA suddenly changes?
Can we expect them to regularly update their handcrafted curl trust stores?
@Al2Klimov Al2Klimov added enhancement New feature or request area/distributed Distributed monitoring (master, satellites, clients) labels Nov 14, 2023
@Al2Klimov
Copy link
Member Author

⚠️ Thing to consider

Don't end up with two new CAs with distinct keys if the old CA's key is copied over! #9891 (comment)

@Al2Klimov Al2Klimov added the TBD To be defined - We aren't certain about this yet label Apr 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/distributed Distributed monitoring (master, satellites, clients) enhancement New feature or request TBD To be defined - We aren't certain about this yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Al2Klimov