Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable automated rotation of TSA certificates #631

Open
dmitris opened this issue Feb 7, 2024 · 1 comment
Open

enable automated rotation of TSA certificates #631

dmitris opened this issue Feb 7, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@dmitris
Copy link
Contributor

dmitris commented Feb 7, 2024

Description

The certificates that are used for the web server connection are not rotated - which leads to the server refusing the connection once the certificates expire (especially if the certificates have short expiration timeframe - which is advisable for better security). Need to add something like fswatch to notice when the certificate has changed and reload it.
@dmitris dmitris added the enhancement New feature or request label Feb 7, 2024
@haydentherapper
Copy link
Contributor

We have something like this in Fulcio for the file-based CA, for the signing certificate - https://github.com/sigstore/fulcio/blob/main/pkg/ca/fileca/fileca.go#L34

I would advise against this though. It requires adding locks throughout the codebase. I would expect that rotating a certificate during an active connection may cause unexpected failures.

Can this be handled by the orchestration framework, restarting the server with the updated certificate?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dmitris @haydentherapper