• Łukasz Nowak's avatar
    caddy-frontend: Implement KeDiFa SSL information · bc2b1742
    Łukasz Nowak authored
    Use KeDiFa to store keys, and transmit the url to the requester for master
    and slave partitions.
    
    Download keys on the slave partitions level.
    
    Use caucase to fetch main caucase CA.
    
    kedifa-caucase-url is published in order to have access to it.
    
    Note: caucase is prepended with kedifa, as this is that one.
    
    Use kedifa-csr tool to generate CSR and use caucase-updater macro.
    
    Switch to KeDiFa with SSL Auth and updated goodies.
    
    KeDiFa endpoint URLs are randomised.
    
    Only one (first) user certificate is going to be automatically accepted. This
    one shall be operated by the cluster owner, the requester of frontend master
    partition.
    
    Then he will be able to sign certificates for other users and also for
    services - so each node in the cluster.
    
    Special trick from https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line
    is used for one command generation of extensions in the certificate.
    Note: We could upgrade to openssl 1.1.1 in order to have it really
    simplified (see https://security.stackexchange.com/a/183973 )
    
    Improve CSR readability by creating cluster-identification, which is master
    partition title, and use it as Organization of the CSR.
    
    Reserve slots for data exchange in KeDiFa.
    bc2b1742
instance-caddy-input-schema.json 3.36 KB