feat(identity): support non-PKCS#12 identities #7
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PKCS#12 identity (aka .pfx files) are often used to transport private key material with a decryption password. In scenarios where a Vault-like server is used to emit PKI certificates, PFX files are not really used and certificates private key material is installed in non swappable RAM locations directly without any decryption password required. This simplifies automatic rotation and rollouts to production deployments when this is available. Before this, it would be necessary to re-encode PEM-encoded DER private key via openssl with an empty password and store it in another runtime location. Signed-off-by: Raito Bezarius <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PKCS#12 identity (aka .pfx files) are often used to transport private
key material with a decryption password.
In scenarios where a Vault-like server is used to emit PKI certificates,
PFX files are not really used and certificates private key material is
installed in non swappable RAM locations directly without any decryption
password required.
This simplifies automatic rotation and rollouts to production
deployments when this is available.
Before this, it would be necessary to re-encode PEM-encoded DER private
key via openssl with an empty password and store it in another runtime
location.
I'm not exactly sure yet if this is the right design for it (in the context of the library),
e.g. I don't know if I'm breaking needlessly backward compatibility.
I'm also a bit dubious whether I should concatenate the CA cert chain to configure
rusttlsif it's available.
Signed-off-by: Raito Bezarius [email protected]