Re: Storing TLS credentials in the directory

[Turbo Fredriksson <turbo@bayour.com>]

On 9 Apr 2017, at 11:29, Howard Chu <hyc@symas.com> wrote:

> Turbo Fredriksson wrote:
>> On 9 Apr 2017, at 04:06, Howard Chu <hyc@symas.com> wrote:
>> 
>> Only difference might be that the local FS isn’t available _outside_ the host, a directory
>> is.
> 
> As soon as a host offers something like ssh, then that distinction is gone too.

True.

> Moreover, a secure mechanism for distributing private keys to users is required but nobody
> ever specifies how to do that. Certainly LDAP/TLS is more manageable than sneakernet and
> this is more bootstrappable.

Yeah, I’ve been struggling like crazy about this the last couple of months.

There’s many scripts and some products that can be/handle a CA, but
no one seems to have thought about the actual distribution of the result(s).

Or how to restrict queries, distribution and what type of cert is/can be requested.

And every link I’ve ever seen about certs, “then copy it securely to the
destination”. But no wording on HOW to do that or how to script it (in a
more .. “automated” fashion).

Everything I’ve seen about the subject is so darn _complex_! It shouldn’t HAVE
to be.


So if you can do something like this, and leave the ACL/policies etc to the admin,
using existing functionality (ACL/ACI/ppolicy or whatever), I’d be a very happy man! :)

Are you actually talking about OpenLDAP being a “CA” as well? As in, being able
to create certificates by requests, or are you talking about OpenLDAP “only”
being the … “backend-storage” for such a tool?