certificates
certificates copied to clipboard
smallstep
FR: slackhq/nebula support
What would you like to be added
Managing nebula's CA protocol. Just supporting the certificate signage via acme would be sufficient. I don't know if the nebula certificate is already standard and this would already be supported so some input will be appreciated. I hope this go file is a good starting point: https://github.com/slackhq/nebula/blob/master/cmd/nebula-cert/sign.go
Why this is needed
Some sort of collaboration between these systems would be great. Currently nebula does not have automated certificate renewal and there are no CA features found here like the sso or certificate management.
Nebula certificates use their own format, using ACME for it it would be weird because there are no ACME clients that will support it.
If they implement their own acme like client, would it be possible to connect it to step's CA and inherit its features?
If they implement their own acme like client, would it be possible to connect it to step's CA and inherit its features?
I guess so, if we add support for Nebula (they are our friends).
I was thinking about this issue again, and doesn't step-ca already support all the needed with Certificate Templates? Standard ACME would not be applicable, but using OAuth would be ideal to authenticate user certificates. Am I missing more nuanced issues due to nebula using non-standard certificates? Would most development be needed on step-ca or nebula to get this compatibility?
@LecrisUT step-ca and certificate templates only support X.509 and SSH certificates, and Nebula certificates are not X.509. So, the CA would have to support Nebula's certificate format first. I think all of the work would need to be done on step-ca to support the Nebula cert format. I'm sure they have a very good reason for having their own cert format, and it wouldn't make sense for them to switch away from that.
@maraino would you accept a merge that added this in? It seems like it would be fairly huge, and need to add something similar to the sshCA option for provisioners, and add things like SignNebula() similar to SignSSH endpoints?
If the new webhook/plugin functionality would enable this, then I'll wait for that to be released instead
It's in beta. Haven't tested what's done so far yet.
https://github.com/smallstep/certificates/blob/7101fbb0ee939d24756695508845e78e41a1cb59/authority/provisioner/nebula.go
I think that code is for using a Nebula cert to authorise an action for SSH or x509?
I'm proposing adding minting of new nebula certs that nodes can use to connect to the mesh, so step would act as a nebula CA.
I don't see why not, especially now that CRL is included. Would be good though to have most of the client side cli on nebula, e.g. requesting a new certificate from the CA's url.
Hi @LecrisUT,
@unreality is right about the current Nebula integration. It's used to authenticate using a Nebula certificate to request an X.509 or SSH certificate. Not for requesting a Nebula certificate from step-ca.
Minting Nebula certs has come up in internal discussions more than once. It could be an interesting addition to our current certificate types, but it certainly is going to be a larger effort to fully realize. I can't say for sure if this is something we want strongly integrated, or maybe as an optional extension to step-ca. We can discuss internally if this is something we want and how we want it to work within the rest of our platform.
Following up after we had a chance to discuss with the team this morning.
Our understanding of Nebula is that it is an enterprise product. Therefore minting Nebula certificates would also be useful only for enterprises. As such, if we do implement this feature, it will only be part of our enterprise offering (not OSS).
We're open to having our minds changed (we can be quite capricious :p), but that's our position at this time.
@dopey would the team accept a pull request that implemented it? Or is it outside of the scope you want in the open source product?