Commit Graph

12 Commits

Author SHA1 Message Date
Hans Hasselberg 804eb17094
connect: check if intermediate cert needs to be renewed. (#6835)
Currently when using the built-in CA provider for Connect, root certificates are valid for 10 years, however secondary DCs get intermediates that are valid for only 1 year. There is no mechanism currently short of rotating the root in the primary that will cause the secondary DCs to renew their intermediates.
This PR adds a check that renews the cert if it is half way through its validity period.

In order to be able to test these changes, a new configuration option was added: IntermediateCertTTL which is set extremely low in the tests.
2020-01-17 23:27:13 +01:00
Paul Banks b621910618
Support Connect CAs that can't cross sign (#6726)
* Support Connect CAs that can't cross sign

* revert spurios mod changes from make tools

* Add log warning when forcing CA rotation

* Fixup SupportsCrossSigning to report errors and work with Plugin interface (fixes tests)

* Fix failing snake_case test

* Remove misleading comment

* Revert "Remove misleading comment"

This reverts commit bc4db9cabed8ad5d0e39b30e1fe79196d248349c.

* Remove misleading comment

* Regen proto files messed up by rebase
2019-11-11 21:36:22 +00:00
R.B. Boyer af01d397a5
connect: don't colon-hex-encode the AuthorityKeyId and SubjectKeyId fields in connect certs (#6492)
The fields in the certs are meant to hold the original binary
representation of this data, not some ascii-encoded version.

The only time we should be colon-hex-encoding fields is for display
purposes or marshaling through non-TLS mediums (like RPC).
2019-09-23 12:52:35 -05:00
Kyle Havlovitz 6465b13b7d
website: update docs for leaf cert TTL option 2018-07-16 13:33:42 -07:00
Jack Pearkes adaaa37e4f website: fix an assortment of broken links 2018-06-25 12:26:24 -07:00
Kyle Havlovitz c11e1b51e4 website: correct a few last things in CA docs 2018-06-25 12:26:23 -07:00
Mitchell Hashimoto 93cd52024d website: split out CA docs by provider type 2018-06-25 12:26:23 -07:00
Kyle Havlovitz 0b5d7277f9 website: fix example config in vault CA docs 2018-06-25 12:26:09 -07:00
Kyle Havlovitz b4ef7bb64d connect/ca: leave blank root key/cert out of the default config (unnecessary) 2018-06-25 12:25:42 -07:00
Kyle Havlovitz 8e028b7dc6 website: add Vault CA provider doc sections 2018-06-25 12:25:42 -07:00
Kyle Havlovitz 5d005df8c6 docs: add Connect CA overview 2018-06-25 12:25:10 -07:00
Mitchell Hashimoto 097856c515 Starting Docs (#46)
* website: first stab at Connect docs

* website: lots more various stuff (bad commit messages)

* website: getting started page for Connect

* website: intentions

* website: intention APIs

* website: agent API docs

* website: document agent/catalog proxy kind service values

* website: /v1/catalog/connect/:service

* website: intention CLI docs

* website: custom proxy docs

* website: remove dedicated getting started guide

* website: add docs for CA API endpoints

* website: add docs for connect ca commands

* website: add proxy CLI docs

* website: clean up proxy command, add dev docs

* website: todo pages

* website: connect security
2018-06-25 12:24:05 -07:00