TLS utility provider #2778
TLS utility provider #2778
Conversation
apparentlymart
changed the title
|
Wow. This is great work, @apparentlymart. Wow. Will get one of us to circle back for a more detailed review, but on first pass this looks darn near perfect. Thank you! |
|
Over in #3599 I wrote a little about how this might be extended to work with Let's Encrypt and ACME, though I'd still like to merge this logical-only patch first and then we can build on it in separate changesets to add the ACME support. @phinze Is this looking ready to merge to you? If possible I'd like to get this merged before Let's Encrypt becomes generally available, so these building blocks are available for me or someone else to work on additional resources for issuing "real" certificates using the ACME protocol. |
As of this commit this provider has only logical resources that allow the creation of private keys, self-signed certs and certificate requests. These can be useful when creating other resources that use TLS certificates, such as AWS Elastic Load Balancers. Later it could grow to include support for real certificate provision from CAs using the LetsEncrypt ACME protocol, once it is stable.
|
This thing is beautiful. Landing it! |
|
Curious if there was a reason for not implementing If not would you consider accepting a PR? |
|
@silas I was planning to implement the ACME protocol to get signed certs from registrars (some design notes in #3599) and so this set of stuff was basically intended as the building blocks for that, plus the self-signed cert just because it was easy once I'd done the other parts and handy for quick development environment stuff. If I'm understanding correctly, what you want to do is take a CA cert and its associated private key and use those in conjunction with a CSR to produce a cert that is signed by that CA cert. In which case, a resource for that seems reasonable and a logical extension building on the existing The only thing I'm kinda concerned about is making sure we have things named nicely so it's easy for users to understand the three different cases and how they differ:
I think the ACME-issued certs deserve to get the most straightforward and "primary-sounding" name |
|
@apparentlymart Yup, you understood me correctly, and I agree on all points.
|
|
@apparentlymart I'd love any feedback you might have on #3930 |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
The TLS provider has general utility resources for TLS provisioning.
In this first implementation it contains only logical resources to aid in the creation of private keys (for testing/development only), self-signed certificates and certificate requests. These can then be used with other providers to create TLS-enabled resources.
tls_private_keyresourcetls_self_signed_certresourcetls_cert_requestresourceThis provider could also be a reasonable home for an implementation of the new LetsEncrypt ACME protocol once it stabilizes, allowing "real" CA-issued certificates to be created too. However, I won't add that at least until LetsEncrypt has released a first stable version of its own client in Python.