Skip to content

Core certificate authority, part 1: Proxy #1790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
t-aleksander wants to merge 18 commits into
base: dev
Choose a base branch
from
Open

Core certificate authority, part 1: Proxy #1790

t-aleksander wants to merge 18 commits into from

Conversation

@t-aleksander
Copy link
Contributor

@t-aleksander t-aleksander commented Jan 7, 2026
edited
Loading

Creates basic core certificate authority functionality.

The major parts that are missing from this PR:

  • certificate renewal/changing
  • Gateway handling (coming in part 2)

The communication is now split between the following phases:

  • Initial setup handshake, Core and Proxy exchange setup information (currently only certificates: csr in, certificate out) over HTTP (since HTTPS is not available yet). This step is skipped if: Proxy already has some certificates or Core detects that the Proxy is serving it's gRPC traffic over HTTPS already.
  • After the 1st phase is completed (or skipped), both components switch to HTTPS and continue operating as usual (2nd phase)
  • If for any reason one of the components is already on the 2nd phase but the other one tries to initiate the 1st phase, the component on the 2nd phase sends message informing that it does not require further configuration and the initiating component skips the 1st phase.

TODO:

  • Update protobufs

@t-aleksander t-aleksander self-assigned this Jan 7, 2026
@t-aleksander t-aleksander added the feature New feature or request label Jan 7, 2026
This was referenced Jan 7, 2026
Open
Open
@t-aleksander t-aleksander linked an issue Jan 7, 2026 that may be closed by this pull request
Implement Certificate Authority in core #1704
Open
22 tasks
moubctez
moubctez reviewed Jan 8, 2026
View reviewed changes
crates/defguard_certs/src/lib.rs
}
}

pub fn der_to_pem(der: &[u8], label: PemLabel) -> Result<String, CertificateError> {
Copy link
Contributor

@moubctez moubctez Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rcgen::Certificate has methods to convert itself to DER or PEM. Maybe use those?

moubctez
moubctez reviewed Jan 8, 2026
View reviewed changes
crates/defguard_proxy_manager/src/lib.rs
}
}

fn endpoint(&self, with_tls: bool) -> Result<Endpoint, ProxyError> {
Copy link
Contributor

@moubctez moubctez Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about endpoint(&self, scheme: &str)?

moubctez
moubctez reviewed Jan 8, 2026
View reviewed changes
moubctez
moubctez reviewed Jan 8, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@moubctez moubctez moubctez left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@t-aleksander t-aleksander

Labels

feature New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement Certificate Authority in core

3 participants

@t-aleksander @moubctez