Context Navigation

← Previous Ticket
Next Ticket →

Ticket #528 (closed enhancement: fixed)

Last modified 15 years ago

support for multiple fingerprints

Reported by:	[email protected]…	Owned by:	desai
Priority:	major	Milestone:	Bcfg2 0.9.6 Release
Component:	bcfg2-client	Version:
Keywords:	certificate security	Cc:

Description

I will need to periodically rotate the server cert in order to satisfy infosec requirements. Being able to specify multiple cert fingerprints, to be tried in order, should be sufficient.

The envisioned workflow is:

generate new cert and get its fingerprint (but don't install yet)
update /etc/bcfg2.conf to have 'fingerprint = <new fingerprint>, <old fingerprint>
let clients get new config
put new server cert in place
let at least another round of clients updates go through
remove old fingerprint from /etc/bcfg2.conf

If a host is down for longer than the rotation period, they will need to have the fingerprint manually updated when they're back up.

Attachments

Change History

comment:1 Changed 15 years ago by desai

Status changed from new to closed
Resolution set to fixed
Milestone set to Bcfg2 0.9.6 Release

All code for this is now merged. Thanks for the patch.

WARNING! You need to establish a session before you can create or edit tickets. Otherwise the ticket will get treated as spam.

View ↑

Add a comment

You may use WikiFormatting here.

Modify Ticket

Change Properties

Summary:
Type:		Priority:
Milestone:		Component:
Version:		Keywords:
Add/Remove from Cc:	<Author field>

Action

leave as closed

reopen The resolution will be deleted. Next status will be 'reopened'

Author

Your email or username:

E-mail address and user name can be saved in the Preferences.

Attachments ↑

Note: See TracTickets for help on using tickets.

Download in other formats: