Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for ingesting intermediate and root CA certificates via "path" flag(s) #223

Open
atc0005 opened this issue Mar 5, 2025 · 3 comments
Open

Add support for ingesting intermediate and root CA certificates via "path" flag(s) #223

atc0005 opened this issue Mar 5, 2025 · 3 comments
Assignees
@atc0005
Labels
app/lscert config documentation Improvements or additions to documentation output/logging plugin/check_cert
Milestone
v0.26.0

Comments

@atc0005
Copy link
Owner

atc0005 commented Mar 5, 2025
edited
Loading

Not sure yet whether one flag (e.g., --certs-path) would be used to ingest both types, or whether there would be separate flags for each type.

For example:

  • --intermediate-certs-path
  • --root-certs-path

The current thinking is that regardless of what they're named, the flags would allow pointing directly at a specific file for ingest such as:

  • /etc/ssl/certs/ca-certificates.crt (e.g., Ubuntu)
  • /etc/ssl/certs/ca-bundle.crt (e.g., RHEL)

or for an entire directory:

  • /etc/ssl/certs/

Each ingested file would be sorted into a collection based on its type:

  • intermediate certificates
  • root certificates
  • leaf certificates
    • intentionally ignored

The error handling would probably opt to skip over any file ingest attempts that fail (assuming instead that the file isn't a certificate). Not sure if we'd offer a flag to not ignore ingest errors. Presumably we'd log ingest failures via debug level log messages to aid a sysadmin in troubleshooting why an intended file was not ingested.
@atc0005 atc0005 added this to the v0.26.0 milestone Mar 5, 2025
@atc0005 atc0005 self-assigned this Mar 5, 2025
@atc0005
Copy link
Owner Author

atc0005 commented Mar 5, 2025

I'm on the fence whether it is worth adding this logic now while I'm in the process of trying to get the new Chain Integrity validation check changes stabilized or after as a refinement of the logic.

@atc0005
Copy link
Owner Author

atc0005 commented Mar 5, 2025

From curl --help:

     --cacert <file> CA certificate to verify peer against
     --capath <dir>  CA directory to verify peer against

Maybe --ca-path for a general "ingest" flag name?

@atc0005
Copy link
Owner Author

atc0005 commented Mar 5, 2025

Debating whether to make the new flag act the same as other multiple input flags for this project and accept paths as a comma-separated value:

/path/to/check_cert --server www.example.com --ca-path "/path/to/intermediates/dir,/path/to/root-ca-certs/dir,/etc/ssl/certs/ca-certificates.crt"

or have it be used multiple times:

/path/to/check_cert --server www.example.com --ca-path "/path/to/intermediates/dir" --ca-path "/path/to/root-ca-certs/dir" --ca-path "/etc/ssl/certs/ca-certificates.crt"

or have the flag support a mix of either:

/path/to/check_cert --server www.example.com --ca-path "/path/to/intermediates/dir,/path/to/root-ca-certs/dir" --ca-path "/etc/ssl/certs/ca-certificates.crt"

Flexibility is good, but consistency is probably better?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@atc0005 atc0005

Labels
app/lscert config documentation Improvements or additions to documentation output/logging plugin/check_cert
Projects
None yet
Milestone
v0.26.0
Development

No branches or pull requests
1 participant
@atc0005