-
Notifications
You must be signed in to change notification settings - Fork 1
Home
Puavo-CA acts as a certificate authority for all devices and services managed by Puavo. It is a backend service that has no end user interface. It provides a REST API that is accessed only by Puavo-devices to manage sertificates for registered locally installed hosts. Puavo-CA is not needed if Puavo-devices is used to manage only netboot devices (thin and fat clients) if necessary certificates are created manually.
Puavo-CA uses same data model as other Puavo components. This means that a single Puavo-CA installation can manage multiple organisations with their own data. If Puavo installation is run by a service provider, the data structure looks like this:
- Service provider
- Organisation X
- Organisation Y
- Organistaion Z
The service provider can have two types of services:
- Services available to all organisations (common services)
- Services available only to a single organisation (organisation services)
By default Puavo-CA has two level CA structure – root CA + intermediate CAs for organisations. All servers that provide common services to all organisations, are signed with a common service CA while organisation certificates are signed with organisation CAs. This means that there are four types of certificates involved:
- Root CA certificate
- Organisation CA certificate
- Server certificates for common services
- Client certificates for organisation services
All applications that use certificates must make sure that also the intermediate organisation CA certificate is available in addition to root CA certificate.
Wildcard certificates are also supported for common service certificates.