Added support for PKCS12 password protected TLS config #4165
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
👋 🤖 🤔 Hello! Did you make your changes in all the right places? These files were changed only in docs/. You might want to duplicate these changes in versioned_docs/version-8.5/.
You may have done this intentionally, but we wanted to point it out in case you didn't. You can read more about the versioning within our docs in our documentation guidelines. |
akeller
added
component:zeebe
There was a problem hiding this comment.
@EuroLew Is this only applicable to the next version of docs, or also the previous versions and current version of docs?
This should apply only to the |
github-merge-queue bot
pushed a commit
to camunda/camunda
that referenced
this pull request
Aug 22, 2024
## Description This PR adds support for a PKCS12 format file to configure the TLS private key and certificate chain. The PKCS12 file can be password protected. - The original certificateChainPath and privateKeyPath and the new `pkcs12` configuration are mutually exclusive and checks are carried out to ensure such behaviour. - The approach taken to parse the pkcs12 is that the private key and certificate chain are extracted from the pkcs12 file in order to build the netty `SslContext` - The PKCS12 file must have the same password as the singular key certificate pair in the file. (That is a password is required to access the file, and then another password is required to extract the private key, this is per the [RFC](https://datatracker.ietf.org/doc/html/rfc7292)) - In addition pkcs12 supports multiple key certificate chain pairs however the current approach will extract the first pair from the file an use that for TLS configuration. (This will be documented in the camunda docs that the file must NOT contain more than 1 key certificate chain pairs). This is also per the RFC as only one key value pair is intended (However this is not verified or tested so a file with multiple entries could be provided and the first one would be used) Camunda docs PR is here camunda/camunda-docs#4165 ## Related issues closes camunda/issues#833
github-merge-queue bot
pushed a commit
to camunda/camunda
that referenced
this pull request
Aug 22, 2024
## Description This PR adds support for a PKCS12 format file to configure the TLS private key and certificate chain. The PKCS12 file can be password protected. - The original certificateChainPath and privateKeyPath and the new `pkcs12` configuration are mutually exclusive and checks are carried out to ensure such behaviour. - The approach taken to parse the pkcs12 is that the private key and certificate chain are extracted from the pkcs12 file in order to build the netty `SslContext` - The PKCS12 file must have the same password as the singular key certificate pair in the file. (That is a password is required to access the file, and then another password is required to extract the private key, this is per the [RFC](https://datatracker.ietf.org/doc/html/rfc7292)) - In addition pkcs12 supports multiple key certificate chain pairs however the current approach will extract the first pair from the file an use that for TLS configuration. (This will be documented in the camunda docs that the file must NOT contain more than 1 key certificate chain pairs). This is also per the RFC as only one key value pair is intended (However this is not verified or tested so a file with multiple entries could be provided and the first one would be used) Camunda docs PR is here camunda/camunda-docs#4165 ## Related issues closes camunda/issues#833
|
CC @npepinpe for review 👍 |
|
@EuroLew Can I go ahead and merge this, or does it need to wait until release next month? |
|
It can be merged now 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Add documentation about how to use the new TLS configuration with a PKCS12 file. This adds details about the configuration file fields and the expected contents of the PKCS12 file.
When should this change go live?
holdlabel or convert to draft PR)PR Checklist
/versioned_docsdirectory./docsdirectory (aka/next/).