-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document support for PKCS#12 #860
Conversation
Co-authored-by: Joyce Fee <[email protected]>
Co-authored-by: Paulo Borges <[email protected]> Co-authored-by: Gellért Peresztegi-Nagy <[email protected]> Co-authored-by: Angela Simms <[email protected]>
Co-authored-by: Joyce Fee <[email protected]>
Co-authored-by: Paulo Borges <[email protected]> Co-authored-by: Joyce Fee <[email protected]>
Co-authored-by: Angela Simms <[email protected]> Co-authored-by: Joyce Fee <[email protected]> Co-authored-by: Paulo Borges <[email protected]>
Co-authored-by: Angela Simms <[email protected]> Co-authored-by: Joyce Fee <[email protected]>
Co-authored-by: Kat Batuigas <[email protected]> Co-authored-by: Jake Cahill <[email protected]> Co-authored-by: Paulo Borges <[email protected]> Co-authored-by: Gellért Peresztegi-Nagy <[email protected]> Co-authored-by: Angela Simms <[email protected]>
Co-authored-by: Kat Batuigas <[email protected]>
Co-authored-by: Joyce Fee <[email protected]>
✅ Deploy Preview for redpanda-docs-preview ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
ac16003
to
332aeed
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Now the fun part - turns out PKCS#12 doesn't work in FIPS. So I think we need a call out for that.
So some background information on this (discovered in this PR)
The MAC key derivation algorithm used for PKCS#12 is PKCS12KDF. This is not a FIPS supported algorithm. This means that, when running in FIPS mode, the OpenSSL FIPS provider will error out on unwrapping a PKCS#12 file.
A proposal (rfc9579) has been made to replace that with PBMAC1 which is FIPS compliant. The ability to unwrap a PKCS#12 file using that is in OpenSSL 3.4, which we haven't updated to yet.
Some other reading can be found here: https://www.redhat.com/en/blog/fips-140-3-changes-pkcs-12
Thanks @michael-redpanda - I added some of this context to the TLS doc and the FIPS doc |
|
||
NOTE: If you haven't generated the `.key` and `.crt` files, refer to <<gen-certs, Generate certificate files>>. | ||
NOTE: PKCS#12 keys are not supported when xref:manage:security/fips-compliance.adoc[FIPS mode] is enabled in Redpanda. The PKCS12KDF algorithm used in PKCS#12 is not FIPS-compliant. To use Redpanda in FIPS mode, configure your certificates and keys in <<pem,PEM format>> instead. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
praise: 👍
Co-authored-by: Angela Simms <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a couple of minor comments/observations.
@@ -113,31 +126,29 @@ certificates (created above). | |||
|
|||
|`-batch` |Batch mode, where certificates are certified automatically. | |||
|=== | |||
+ | |||
The output `ca.crt` is the CA's public certificate, which you'll use in the truststore. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, the rendering of the apostrophe looks odd?
truststore_file: <path-to-PEM-formatted-CA-file> | ||
cert_file: <path-to-pem-cert-file> | ||
key_file: <path-to-pem-key-file> | ||
truststore_file: <path-to-pem-CA-file> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The caps in CA are stopping this from being an editable field.
Co-authored-by: Angela Simms <[email protected]>
Description
Review deadline: 20 November
Note to reviewers: I haven't updated the Kubernetes docs because the Helm chart requires updates to support PKCS#12. Related Jira is here: https://redpandadata.atlassian.net/browse/K8S-347
Page previews
https://deploy-preview-860--redpanda-docs-preview.netlify.app/24.3/manage/security/encryption/#pkcs
Checks