Re: [debops-users] multiple pki for one debops project possible?

On Jan 17, Jan Kowalsky wrote: Yes, it is possible to manage multiple separate Certificate Authority chains in one debops.pki setup. When you look at the debops.pki defaults file, https://github.com/debops/debops/blob/master/ansible/roles/debops.pki/def..., you can see there variables: - pki_authorities - this variable defines what CAs are managed by debops.pki, the easiest way to extend it would be to copy it to the inventory and add your own new list entries - pki_authorities_ca_root - this variable defines the default 'Root CA' authority, the important key being 'name' which defines the name you have to refernce in intermediate authorities - pki_authorities_ca_domain - this variable defines the default 'Domain CA' intermediate authority. The 'issuer_name' defines the "parent CA" which signed this CA's certificate. This defines a "chain" of Root CA + Domain CA, with Domain CA signing the end-entity server certificates. In the 'pki_authorities' variable you can add your own additional CAs, either as separate Root CAs, or as chains with intermediate Authorities which might be preferable in the long run, in case you have to revoke a CA for some reason. But, I think that putting multiple separate clients in one DebOps environment (project directory) might not be a good diea. The model of these directories and the playbooks/roles are designed as self-contained entities. If you want to use DebOps to manage multiple, separate clients, I would put each client environment in its own separate DebOps project directory. That way passwords for certain services like snmpd, shared databases, etc. are not exposed to other clients. If you still want them to be able to talk with each other via SSL with internal CAs, you can just cross-share the Root CA certificates between the environments by putting them in 'secret/pki/ca-certificates/' subdirectories. Cheers, Maciej Delmanowski