support issuing user certificates through ZTS #3238
Description
ZTS currently issues certificates for services and roles and we should extend it to support user certificates as well.
General Idea:
New endpoint /zts/v1/usercert
The client is responsible for providing a csr along with attestation data that needs to be verified by ZTS.
Requirements:
- ZTS needs to make sure to have user authority configured so that it can verify that the user is valid.
- It should also have a server side configuration to specify what is the user provider (no need to ask every user to specify that as part of the request since there will be only one user provider for certificates.
- The user authority needs to provide a new method to return the signing key. The property might have a requirement to use different key based on the user type (permanent/contingent/intern/etc) that ZTS is not aware of.
- The CSR cannot contain san DNS entries except for the spiffe uri
- the certificate must be issued for a limited time - the server must have default and max timeouts, but the user can specify its own value
- the certificate is only issued for client only use