From 601c3d4ff0773cec230cf6198947c22b10cbc2b6 Mon Sep 17 00:00:00 2001 From: "Eric D. Helms" Date: Thu, 29 Aug 2024 10:02:15 -0400 Subject: [PATCH] Add section on certificates layout --- README.md | 101 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) diff --git a/README.md b/README.md index cac69c843..c57852d9c 100644 --- a/README.md +++ b/README.md @@ -111,6 +111,107 @@ This repository also contains the tooling required to install Foreman Katello. See [KATELLO.md](/KATELLO.md) for details and specifics of that setup. +# Certificates + +## Terminology + +* **default CA** - a CA generated by the installer, and used to generate server and client certificates. This CA is used by Candlepin to generate client certificates. +* **server CA** - a CA that can be provided by the user, or is a copy of the default CA, used by all public facing interfaces +* **puppet CA** - a CA generated and managed by puppet + +## Layout + +### Foreman + +The set of deployed certificates, private keys and CA certificates when using the Foreman scenario. Foreman defaults to using the Puppet CA, and users can provide their own certificates for any of the listed services. + +| path | kind | service | issuer | CA | +|-------------------------------------------------------|--------|---------------|---------|---------| +| /etc/puppetlabs/puppet/ssl/certs/$hostname.pem | client | foreman | puppet | | +| /etc/puppetlabs/puppet/ssl/private_keys/$hostname.pem | key | foreman | | | +| /etc/puppetlabs/puppet/ssl/certs/ca.pem | CA | foreman | | puppet | +| /etc/puppetlabs/puppet/ssl/certs/$hostname.pem | server | websockify | puppet | | +| /etc/puppetlabs/puppet/ssl/private_keys/$hostname.pem | key | websockify | | | +| /etc/puppetlabs/puppet/ssl/certs/$hostname.pem | server | apache | puppet | | +| /etc/puppetlabs/puppet/ssl/private_keys/$hostname.pem | key | apache | | | +| /etc/puppetlabs/puppet/ssl/certs/ca.pem | CA | apache | | puppet | +| /etc/puppetlabs/puppet/ssl/certs/$hostname.pem | server | smart-proxy | puppet | | +| /etc/puppetlabs/puppet/ssl/private_keys/$hostname.pem | key | smart-proxy | | | +| /etc/puppetlabs/puppet/ssl/certs/ca.pem | CA | smart-proxy | | puppet | +| /etc/puppetlabs/puppet/ssl/certs/$hostname.pem | client | smart-proxy | puppet | | +| /etc/puppetlabs/puppet/ssl/private_keys/$hostname.pem | key | smart-proxy | | | +| /etc/puppetlabs/puppet/ssl/certs/ca.pem | CA | smart-proxy | | puppet | + +### Katello + +The set of deployed certificates, private keys and CA certificates when using the Katello scenario. Katello splits this into two phases: generation and deployment. +The generation of certificates is handled by [katello-certs-tools](https://github.com/Katello/katello-certs-tools) through puppet and then the puppet module will deploy them to standard locations. + +Users may supply custom, also known as server certificates, for any public interfaces. +All client certificates, and the CA certificate used by Candlepin are generated and cannot be provided by a user. + +#### Tooling + +* Installs and deploys a CA +* Deploys certificates generated from the CA +* Uses [katello-certs-tools](https://github.com/Katello/katello-certs-tools) to generate certificates + +#### Deployed Certificates + +| path | kind | service | issuer | CA | +|-----------------------------------------------|--------|---------------|---------|---------| +| /etc/foreman/client_cert.pem | client | foreman | default | | +| /etc/foreman/client_key.pem | key | foreman | default | | +| /etc/foreman/proxy_ca.pem | CA | foreman | | server | +| /etc/pki/katello/certs/katello-apache.crt | server | apache | server | | +| /etc/pki/katello/private/katello-apache.key | key | apache | | | +| /etc/pki/katello/certs/katello-server-ca.crt | CA | apache | | server | +| /etc/pki/katello/certs/katello-default-ca.crt | CA | apache | | default | +| /etc/pki/katello/certs/katello-apache.crt | server | websockify | server | | +| /etc/pki/katello/private/katello-apache.key | key | websockify | | | +| /etc/pki/katello/private/\*-bundle.pem:cert | client | reverse-proxy | | | +| /etc/pki/katello/private/\*-bundle.pem:key | key | reverse-proxy | default | | +| /etc/foreman_proxy/ssl_cert.pem | server | smart-proxy | server | | +| /etc/foreman_proxy/ssl_key.pem | key | smart-proxy | server | | +| /etc/foreman_proxy/ssl_ca.pem | CA | smart-proxy | | default | +| /etc/foreman_proxy/foreman_ssl_cert.pem | client | smart-proxy | default | | +| /etc/foreman_proxy/foreman_ssl_key.pem | key | smart-proxy | default | | +| /etc/foreman_proxy/foreman_ssl_ca.pem | CA | smart-proxy | | server | +| /etc/candlepin/certs/candlepin-ca.crt | CA | candlepin | | default | +| /etc/candlepin/certs/candlepin-ca.key | key | candlepin | | default | +| /etc/candlepin/certs/truststore:artemis-client| client | artemis | default | | +| /etc/candlepin/certs/truststore:candlepin-ca | CA | tomcat | | default | +| /etc/candlepin/certs/keystore:tomcat | server | tomcat | default | | +| /etc/candlepin/certs/keystore:tomcat | key | tomcat | | | +| /etc/mosquitto/ssl/ssl_cert.pem | cert | mosquitto | server | | +| /etc/mosquitto/ssl/ssl_key.pem | key | mosquitto | | | +| /etc/mosquitto/ssl/ssl_ca.pem | CA | mosquitto | | default | +| /etc/pki/katello/puppet/puppet_client.crt | client | puppet | default | | +| /etc/pki/katello/puppet/puppet_client.key | key | puppet | | | +| /etc/pki/katello/puppet/puppet_client_ca.crt | CA | puppet | | server | + +#### Generated Certificates + +The certificates generated through [puppet-certs](https://github.com/theforeman/puppet-certs) using [katello-certs-tools](https://github.com/Katello/katello-certs-tools). + +| path | kind | issuer | CA | +|--------------------------------------------------------------|--------|---------|---------| +| /root/ssl-build/katello-ca-opnessl.cnf | config | | default | +| /root/ssl-build/katello-default-ca.crt | CA | | default | +| /root/ssl-build/katello-default-ca.key | key | | default | +| /root/ssl-build/katello-server-ca.crt | CA | | server | +| /root/ssl-build/katello-server-ca.key | key | | server | +| /root/ssl-build/$hostname/$hostname-apache.crt | server | server | | +| /root/ssl-build/$hostname/$hostname-apache.key | key | | | +| /root/ssl-build/$hostname/$hostname-foreman-client.crt | client | default | | +| /root/ssl-build/$hostname/$hostname-foreman-client.key | key | | | +| /root/ssl-build/$hostname/$hostname-foreman-proxy-client.crt | client | default | | +| /root/ssl-build/$hostname/$hostname-foreman-proxy-client.key | key | | | +| /root/ssl-build/$hostname/$hostname-foreman-proxy.crt | client | server | | +| /root/ssl-build/$hostname/$hostname-foreman-proxy.key | key | | | +| /root/ssl-build/localhost/localhost-tomcat.crt | server | default | | +| /root/ssl-build/localhost/localhost-tomcat.key | key | | | + # More info See http://theforeman.org or at #theforeman irc channel on freenode