diff --git a/README.md b/README.md index cac69c84..c57852d9 100644 --- a/README.md +++ b/README.md @@ -111,6 +111,107 @@ This repository also contains the tooling required to install Foreman Katello. See [KATELLO.md](/KATELLO.md) for details and specifics of that setup. +# Certificates + +## Terminology + +* **default CA** - a CA generated by the installer, and used to generate server and client certificates. This CA is used by Candlepin to generate client certificates. +* **server CA** - a CA that can be provided by the user, or is a copy of the default CA, used by all public facing interfaces +* **puppet CA** - a CA generated and managed by puppet + +## Layout + +### Foreman + +The set of deployed certificates, private keys and CA certificates when using the Foreman scenario. Foreman defaults to using the Puppet CA, and users can provide their own certificates for any of the listed services. + +| path | kind | service | issuer | CA | +|-------------------------------------------------------|--------|---------------|---------|---------| +| /etc/puppetlabs/puppet/ssl/certs/$hostname.pem | client | foreman | puppet | | +| /etc/puppetlabs/puppet/ssl/private_keys/$hostname.pem | key | foreman | | | +| /etc/puppetlabs/puppet/ssl/certs/ca.pem | CA | foreman | | puppet | +| /etc/puppetlabs/puppet/ssl/certs/$hostname.pem | server | websockify | puppet | | +| /etc/puppetlabs/puppet/ssl/private_keys/$hostname.pem | key | websockify | | | +| /etc/puppetlabs/puppet/ssl/certs/$hostname.pem | server | apache | puppet | | +| /etc/puppetlabs/puppet/ssl/private_keys/$hostname.pem | key | apache | | | +| /etc/puppetlabs/puppet/ssl/certs/ca.pem | CA | apache | | puppet | +| /etc/puppetlabs/puppet/ssl/certs/$hostname.pem | server | smart-proxy | puppet | | +| /etc/puppetlabs/puppet/ssl/private_keys/$hostname.pem | key | smart-proxy | | | +| /etc/puppetlabs/puppet/ssl/certs/ca.pem | CA | smart-proxy | | puppet | +| /etc/puppetlabs/puppet/ssl/certs/$hostname.pem | client | smart-proxy | puppet | | +| /etc/puppetlabs/puppet/ssl/private_keys/$hostname.pem | key | smart-proxy | | | +| /etc/puppetlabs/puppet/ssl/certs/ca.pem | CA | smart-proxy | | puppet | + +### Katello + +The set of deployed certificates, private keys and CA certificates when using the Katello scenario. Katello splits this into two phases: generation and deployment. +The generation of certificates is handled by [katello-certs-tools](https://github.com/Katello/katello-certs-tools) through puppet and then the puppet module will deploy them to standard locations. + +Users may supply custom, also known as server certificates, for any public interfaces. +All client certificates, and the CA certificate used by Candlepin are generated and cannot be provided by a user. + +#### Tooling + +* Installs and deploys a CA +* Deploys certificates generated from the CA +* Uses [katello-certs-tools](https://github.com/Katello/katello-certs-tools) to generate certificates + +#### Deployed Certificates + +| path | kind | service | issuer | CA | +|-----------------------------------------------|--------|---------------|---------|---------| +| /etc/foreman/client_cert.pem | client | foreman | default | | +| /etc/foreman/client_key.pem | key | foreman | default | | +| /etc/foreman/proxy_ca.pem | CA | foreman | | server | +| /etc/pki/katello/certs/katello-apache.crt | server | apache | server | | +| /etc/pki/katello/private/katello-apache.key | key | apache | | | +| /etc/pki/katello/certs/katello-server-ca.crt | CA | apache | | server | +| /etc/pki/katello/certs/katello-default-ca.crt | CA | apache | | default | +| /etc/pki/katello/certs/katello-apache.crt | server | websockify | server | | +| /etc/pki/katello/private/katello-apache.key | key | websockify | | | +| /etc/pki/katello/private/\*-bundle.pem:cert | client | reverse-proxy | | | +| /etc/pki/katello/private/\*-bundle.pem:key | key | reverse-proxy | default | | +| /etc/foreman_proxy/ssl_cert.pem | server | smart-proxy | server | | +| /etc/foreman_proxy/ssl_key.pem | key | smart-proxy | server | | +| /etc/foreman_proxy/ssl_ca.pem | CA | smart-proxy | | default | +| /etc/foreman_proxy/foreman_ssl_cert.pem | client | smart-proxy | default | | +| /etc/foreman_proxy/foreman_ssl_key.pem | key | smart-proxy | default | | +| /etc/foreman_proxy/foreman_ssl_ca.pem | CA | smart-proxy | | server | +| /etc/candlepin/certs/candlepin-ca.crt | CA | candlepin | | default | +| /etc/candlepin/certs/candlepin-ca.key | key | candlepin | | default | +| /etc/candlepin/certs/truststore:artemis-client| client | artemis | default | | +| /etc/candlepin/certs/truststore:candlepin-ca | CA | tomcat | | default | +| /etc/candlepin/certs/keystore:tomcat | server | tomcat | default | | +| /etc/candlepin/certs/keystore:tomcat | key | tomcat | | | +| /etc/mosquitto/ssl/ssl_cert.pem | cert | mosquitto | server | | +| /etc/mosquitto/ssl/ssl_key.pem | key | mosquitto | | | +| /etc/mosquitto/ssl/ssl_ca.pem | CA | mosquitto | | default | +| /etc/pki/katello/puppet/puppet_client.crt | client | puppet | default | | +| /etc/pki/katello/puppet/puppet_client.key | key | puppet | | | +| /etc/pki/katello/puppet/puppet_client_ca.crt | CA | puppet | | server | + +#### Generated Certificates + +The certificates generated through [puppet-certs](https://github.com/theforeman/puppet-certs) using [katello-certs-tools](https://github.com/Katello/katello-certs-tools). + +| path | kind | issuer | CA | +|--------------------------------------------------------------|--------|---------|---------| +| /root/ssl-build/katello-ca-opnessl.cnf | config | | default | +| /root/ssl-build/katello-default-ca.crt | CA | | default | +| /root/ssl-build/katello-default-ca.key | key | | default | +| /root/ssl-build/katello-server-ca.crt | CA | | server | +| /root/ssl-build/katello-server-ca.key | key | | server | +| /root/ssl-build/$hostname/$hostname-apache.crt | server | server | | +| /root/ssl-build/$hostname/$hostname-apache.key | key | | | +| /root/ssl-build/$hostname/$hostname-foreman-client.crt | client | default | | +| /root/ssl-build/$hostname/$hostname-foreman-client.key | key | | | +| /root/ssl-build/$hostname/$hostname-foreman-proxy-client.crt | client | default | | +| /root/ssl-build/$hostname/$hostname-foreman-proxy-client.key | key | | | +| /root/ssl-build/$hostname/$hostname-foreman-proxy.crt | client | server | | +| /root/ssl-build/$hostname/$hostname-foreman-proxy.key | key | | | +| /root/ssl-build/localhost/localhost-tomcat.crt | server | default | | +| /root/ssl-build/localhost/localhost-tomcat.key | key | | | + # More info See http://theforeman.org or at #theforeman irc channel on freenode