Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider an alternate certificate renewal flow that uses CSR #13

Closed
tigrannajaryan opened this issue Nov 9, 2021 · 3 comments · Fixed by #162
Closed

Consider an alternate certificate renewal flow that uses CSR #13

tigrannajaryan opened this issue Nov 9, 2021 · 3 comments · Fixed by #162

Comments

@tigrannajaryan
Copy link
Member

The client certificate creation is currently performed by the Server, with Server generating a private/public keypair and sending it to the Agent.

We could change the flow to use a CSR-like flow, where the Agent generates a keypair, a CSR and sends the CSR to the Server. I think this better mirrors the traditional certificate generation flow. The benefit will be that the private key does not leave the Agent.

This adds more complexity to the protocol (one extra roundtrip), but is worth exploring.
@tigrannajaryan
Copy link
Member Author

It may be worth reading and understanding https://spiffe.io/docs/latest/spire-about/spire-concepts/ to see if it is applicable.

tigrannajaryan added a commit to tigrannajaryan/opamp-spec that referenced this issue Jul 19, 2023
@tigrannajaryan
Add client-initiated certificate request flow (CSR)
e04b639 
Resolves open-telemetry#13
tigrannajaryan added a commit to tigrannajaryan/opamp-spec that referenced this issue Jul 19, 2023
@tigrannajaryan
Add client-initiated certificate request flow (CSR)
a3a56e0 
Resolves open-telemetry#13
tigrannajaryan added a commit to tigrannajaryan/opamp-spec that referenced this issue Jul 19, 2023
@tigrannajaryan
Add client-initiated certificate request flow (CSR)
6131b10 
Resolves open-telemetry#13

Uses [Development] label as the indication of the least
mature level proposed in this upcoming OTEP:
open-telemetry/oteps#232
@tigrannajaryan tigrannajaryan mentioned this issue Jul 19, 2023
Merged
tigrannajaryan added a commit to tigrannajaryan/opamp-spec that referenced this issue Jul 19, 2023
@tigrannajaryan
Add client-initiated certificate request flow (CSR)
874f0f0 
Resolves open-telemetry#13

Uses [Development] label as the indication of the least
mature level proposed in this upcoming OTEP:
open-telemetry/oteps#232
tigrannajaryan added a commit to tigrannajaryan/opamp-spec that referenced this issue Jul 19, 2023
@tigrannajaryan
Add client-initiated certificate request flow (CSR)
43bbc69 
Resolves open-telemetry#13

Uses [Development] label as the indication of the least
mature level proposed in this upcoming OTEP:
open-telemetry/oteps#232
tigrannajaryan added a commit to tigrannajaryan/opamp-spec that referenced this issue Jul 19, 2023
@tigrannajaryan
Add client-initiated certificate request flow (CSR)
d014902 
Resolves open-telemetry#13

Uses [Development] label as the indication of the least
mature level proposed in this upcoming OTEP:
open-telemetry/oteps#232
tigrannajaryan added a commit to tigrannajaryan/opamp-spec that referenced this issue Jul 20, 2023
@tigrannajaryan
Add client-initiated certificate request flow (CSR)
7488bc6 
Resolves open-telemetry#13

Uses [Development] label as the indication of the least
mature level proposed in this upcoming OTEP:
open-telemetry/oteps#232
@evan-bradley
Copy link

It may be worth reading and understanding https://spiffe.io/docs/latest/spire-about/spire-concepts/ to see if it is applicable.

@tigrannajaryan this seems like it would be used in place of the certificate field on ConnectionSettings messages, and would ultimately be something an Agent and Server do to generate certificates for themselves out-of-band from OpAMP. I realize it's been nearly two years since you made that comment, do you still think SPIFFE may have any direct applicability to OpAMP?

@tigrannajaryan
Copy link
Member Author

I realize it's been nearly two years since you made that comment, do you still think SPIFFE may have any direct applicability to OpAMP?

I haven't looked in details of SPIFFE and don't know if/how we can use it. This requires someone to do some research and understand what SPIFFE does and how applicable it is to OpAMP.

tigrannajaryan added a commit to tigrannajaryan/opamp-spec that referenced this issue Sep 13, 2023
@tigrannajaryan
Add client-initiated certificate request flow (CSR)
851fa8c 
Resolves open-telemetry#13

Uses [Development] label as the indication of the least
mature level proposed in this upcoming OTEP:
open-telemetry/oteps#232
tigrannajaryan added a commit to tigrannajaryan/opamp-spec that referenced this issue Sep 13, 2023
@tigrannajaryan
Add client-initiated certificate request flow (CSR)
f0b84c4 
Resolves open-telemetry#13

Uses [Development] label as the indication of the least
mature level proposed in this upcoming OTEP:
open-telemetry/oteps#232
tigrannajaryan added a commit that referenced this issue Sep 14, 2023
@tigrannajaryan
Add client-initiated certificate request flow (CSR) (#162)
af56fac 
Resolves #13

Uses [Development] label as the indication of the least
mature level proposed in this upcoming OTEP:
open-telemetry/oteps#232
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add client-initiated certificate request flow (CSR) tigrannajaryan/opamp-spec
2 participants
@tigrannajaryan @evan-bradley