Document support for PKCS#12 #860
Conversation
Co-authored-by: Joyce Fee <[email protected]>
Co-authored-by: Paulo Borges <[email protected]> Co-authored-by: Gellért Peresztegi-Nagy <[email protected]> Co-authored-by: Angela Simms <[email protected]>
Co-authored-by: Joyce Fee <[email protected]>
Co-authored-by: Paulo Borges <[email protected]> Co-authored-by: Joyce Fee <[email protected]>
Co-authored-by: Angela Simms <[email protected]> Co-authored-by: Joyce Fee <[email protected]> Co-authored-by: Paulo Borges <[email protected]>
Co-authored-by: Angela Simms <[email protected]> Co-authored-by: Joyce Fee <[email protected]>
Co-authored-by: Kat Batuigas <[email protected]> Co-authored-by: Jake Cahill <[email protected]> Co-authored-by: Paulo Borges <[email protected]> Co-authored-by: Gellért Peresztegi-Nagy <[email protected]> Co-authored-by: Angela Simms <[email protected]>
Co-authored-by: Kat Batuigas <[email protected]>
Co-authored-by: Joyce Fee <[email protected]>
✅ Deploy Preview for redpanda-docs-preview ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Deflaimun
force-pushed
the
v-WIP/24.3
branch
from
ac16003 to
332aeed
Compare
michael-redpanda
left a comment
michael-redpanda
left a comment
There was a problem hiding this comment.
Looks great! Now the fun part - turns out PKCS#12 doesn't work in FIPS. So I think we need a call out for that.
So some background information on this (discovered in this PR)
The MAC key derivation algorithm used for PKCS#12 is PKCS12KDF. This is not a FIPS supported algorithm. This means that, when running in FIPS mode, the OpenSSL FIPS provider will error out on unwrapping a PKCS#12 file.
A proposal (rfc9579) has been made to replace that with PBMAC1 which is FIPS compliant. The ability to unwrap a PKCS#12 file using that is in OpenSSL 3.4, which we haven't updated to yet.
Some other reading can be found here: https://www.redhat.com/en/blog/fips-140-3-changes-pkcs-12
Thanks @michael-redpanda - I added some of this context to the TLS doc and the FIPS doc |
| You can simplify certificate management by generating a password-protected PKCS#12 bundle from your `broker.key` and `broker.crt` files. | ||
|
|
||
| NOTE: If you haven't generated the `.key` and `.crt` files, refer to <<gen-certs, Generate certificate files>>. | ||
| NOTE: PKCS#12 keys are not supported when xref:manage:security/fips-compliance.adoc[FIPS mode] is enabled in Redpanda. The PKCS12KDF algorithm used in PKCS#12 is not FIPS-compliant. To use Redpanda in FIPS mode, configure your certificates and keys in <<pem,PEM format>> instead. |
Co-authored-by: Angela Simms <[email protected]>
asimms41
left a comment
asimms41
left a comment
There was a problem hiding this comment.
Just a couple of minor comments/observations.
| |`-batch` |Batch mode, where certificates are certified automatically. | ||
| |=== | ||
| + | ||
| The output `ca.crt` is the CA's public certificate, which you'll use in the truststore. |
There was a problem hiding this comment.
Again, the rendering of the apostrophe looks odd?
| truststore_file: <path-to-PEM-formatted-CA-file> | ||
| cert_file: <path-to-pem-cert-file> | ||
| key_file: <path-to-pem-key-file> | ||
| truststore_file: <path-to-pem-CA-file> |
There was a problem hiding this comment.
The caps in CA are stopping this from being an editable field.
Co-authored-by: Angela Simms <[email protected]>
Co-authored-by: Paulo Borges <[email protected]> Co-authored-by: Joyce Fee <[email protected]> Co-authored-by: Gellért Peresztegi-Nagy <[email protected]> Co-authored-by: Angela Simms <[email protected]> Co-authored-by: Kat Batuigas <[email protected]> Co-authored-by: Michele Cyran <[email protected]>
Description
Review deadline: 20 November
Note to reviewers: I haven't updated the Kubernetes docs because the Helm chart requires updates to support PKCS#12. Related Jira is here: https://redpandadata.atlassian.net/browse/K8S-347
Page previews
https://deploy-preview-860--redpanda-docs-preview.netlify.app/24.3/manage/security/encryption/#pkcs
Checks