You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
NSOF-9189 certificates: support configuring BYO certificates
BYO certificates are CA certificates the admin configures and can be used
in AAC rules in order to validate that the user has a device certificate
signed by those CAs.
In our API certificates are managed via our v1/certificates endpoints.
Originally only "managed" certificates were supported, which means the
caller provided a list of SANs and the service would create and manage
respective certificates used by the service.
With the introduction of AAC the certificates API was extended to support
providing BYO CA certificates.
Add a "certificate" string field - which is mutually exclusive with the
"sans" field - to allow providing a certificate in PEM format.
For implementation simplicity, two shortcuts are taken:
- the certificate field uses a "ForceNew" attribute, which means the
certificate cannot be changed on an existing object. This means that for
now, if an AAC rule points to an existing certificate, and that
certificate PEM needs to be changed, the AAC rule needs to be changed
as well.
- no support for BYO certificates in the certificate data source
