Skip to content

feat(core): Assign certificate to namespace #661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 6 commits into from
Closed

feat(core): Assign certificate to namespace #661

wants to merge 6 commits into from

Conversation

@pflynn-virtru
Copy link
Member

@pflynn-virtru pflynn-virtru commented Oct 2, 2025
edited
Loading

Overview

Certificates can be associated with attribute namespaces to establish a chain of trust. These root certificates are stored in x5c format (base64-encoded DER) in the database and can be managed via the otdfctl CLI.

This implementation follows the KAS key assignment pattern with minimal commands for core operations.

Prerequisites

Commands

The certificate management follows the same pattern as KAS key assignment with three focused commands:

Assign Certificate to Namespace

Assign a root certificate to a namespace:

./otdfctl policy certificates assign \
  --namespace "https://example.com" \
  --file ../platform/keys/kas-cert.pem \
  --label "source=kas-cert" \
  --with-client-creds '{"clientId":"opentdf","clientSecret":"secret"}' \
  --host http://localhost:8080

Output:

SUCCESS

╭────────────────────────┬───────────────────────────────────────────────╮
│Namespace ID            │8f1d8839-2851-4bf4-8bf4-5243dbfe517d           │
│Certificate ID          │b891df13-8ad5-4c95-8add-631862207284           │
│Certificate (preview)   │MIIC/TCCAeWgAwIBAgIUSMNrGBq+5ax1wDa…          │
╰────────────────────────┴───────────────────────────────────────────────╯

Remove Certificate from Namespace

Remove a certificate from a namespace:

./otdfctl policy certificates remove \
  --namespace "https://example.com" \
  --certificate-id "b891df13-8ad5-4c95-8add-631862207284" \
  --with-client-creds '{"clientId":"opentdf","clientSecret":"secret"}' \
  --host http://localhost:8080

Output:

SUCCESS

╭────────────────┬───────────────────────────────────────────────╮
│Removed         │true                                           │
│Namespace       │https://example.com                            │
│Certificate ID  │b891df13-8ad5-4c95-8add-631862207284           │
╰────────────────┴───────────────────────────────────────────────╯

pflynn-virtru and others added 6 commits October 2, 2025 13:17
@pflynn-virtru
Add certificate management commands including list, get, assign, remo…
634e1f3 
…ve, and convert functionality. Update dependencies and introduce handler methods to support these features.
@pflynn-virtru
Remove unused certificate management commands and related handler met…
9666763 
…hods. Simplify functionality to support only assign, remove, and convert operations.
@pflynn-virtru
Update certificate conversion logic to switch default operation to x5…
bbb5f74 
…c-to-PEM, revise associated flag names and handler methods, and bump dependencies to newer versions.
@pflynn-virtru
Merge branch 'main' into feature/trust-by-namespace
d68dd88
@pflynn-virtru
Remove convert-pem command and related handler methods to simplify …
bd008d7 
…certificate management operations.
@pflynn-virtru
Merge remote-tracking branch 'origin/feature/trust-by-namespace' into…
230262a 
… feature/trust-by-namespace
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pflynn-virtru