You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Would it be possible to provide a root CA that is provisioned elsewhere? I'm thinking of the following use case:
Generate a CSR inter-ca.csr for the intermediate CA inter-ca with the KMS key alias/inter-ca-key and custom subject information
Generate a cert for the intermediate CA inter-ca.crt with the root key that is offline (not on KMS - since it does not allow importing existing asymmetric keys)
Create a KMS issuer using the intermediate certificate inter-ca.crt and the KMS key alias/inter-ca-key
KMSImportedCertificate will have the CSR generated by the controller and stored in a CertificateRequest object. And when the cert is generated offline, it can be stored in its status.
Alternatively, bootstrapCertificateRef could reference an existing Certificate resource which is issued by some other issuer.
The spec of KMSImportedCertificate would be almost like Certificate but without the privateKey and secretName, and dnsNames/uris/ipAddresses are not relevant for an intermediate CA.
The text was updated successfully, but these errors were encountered:
Summary
Would it be possible to provide a root CA that is provisioned elsewhere? I'm thinking of the following use case:
inter-ca.csr
for the intermediate CAinter-ca
with the KMS keyalias/inter-ca-key
and custom subject informationinter-ca.crt
with the root key that is offline (not on KMS - since it does not allow importing existing asymmetric keys)inter-ca.crt
and the KMS keyalias/inter-ca-key
I'm imagining something like this:
KMSImportedCertificate
will have the CSR generated by the controller and stored in aCertificateRequest
object. And when the cert is generated offline, it can be stored in itsstatus
.Alternatively,
bootstrapCertificateRef
could reference an existingCertificate
resource which is issued by some other issuer.The spec of
KMSImportedCertificate
would be almost likeCertificate
but without theprivateKey
andsecretName
, anddnsNames
/uris
/ipAddresses
are not relevant for an intermediate CA.The text was updated successfully, but these errors were encountered: