certificates icon indicating copy to clipboard operation
certificates copied to clipboard

Published 20 hours ago verified publisher icon smallstep

Separate the admin API from the CA API

Open tashian opened this issue 3 years ago • 1 comments

A common pattern in services that have an Admin API is to stand it up on a separate socket address. And, since a CA is a particularly sensitive application, it could be wise for us to do the same. There are tradeoffs, though. What we do right now is simpler, and it is secured in the same way as the CA's certificate issuance mechanisms. One could make the case that a separate Admin API is unnecessary and adds extra knobs and complexity most people won't use. My only perspective here is: it's probably worth a discussion. And, if we want to separate it, it would make sense to do that sooner than later.

This example is from the nginx unit docs: Screen Shot 2022-10-25 at 12 11 50 PM

tashian avatar Oct 25 '22 19:10 tashian

via mariano - this would probably be optional to conform with other projects.

dopey avatar Oct 26 '22 17:10 dopey