Modify

Ticket #528 (closed enhancement: fixed)

Opened 14 years ago

Last modified 14 years ago

support for multiple fingerprints

Reported by: bcfg2@… Owned by: desai
Priority: major Milestone: Bcfg2 0.9.6 Release
Component: bcfg2-client Version:
Keywords: certificate security Cc:

Description

I will need to periodically rotate the server cert in order to satisfy infosec requirements. Being able to specify multiple cert fingerprints, to be tried in order, should be sufficient.

The envisioned workflow is:

  • generate new cert and get its fingerprint (but don't install yet)
  • update /etc/bcfg2.conf to have 'fingerprint = <new fingerprint>, <old fingerprint>
  • let clients get new config
  • put new server cert in place
  • let at least another round of clients updates go through
  • remove old fingerprint from /etc/bcfg2.conf

If a host is down for longer than the rotation period, they will need to have the fingerprint manually updated when they're back up.

Attachments

Change History

comment:1 Changed 14 years ago by desai

  • Status changed from new to closed
  • Resolution set to fixed
  • Milestone set to Bcfg2 0.9.6 Release

All code for this is now merged. Thanks for the patch.

WARNING! You need to establish a session before you can create or edit tickets. Otherwise the ticket will get treated as spam.

View

Add a comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
The resolution will be deleted. Next status will be 'reopened'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.