psl-omi-provider icon indicating copy to clipboard operation
psl-omi-provider copied to clipboard

Published 20 hours ago verified publisher icon PowerShell

add x509 client certificate authentication

Open paulcallen opened this issue 8 years ago • 5 comments

paulcallen avatar Jan 11 '17 20:01 paulcallen

@gabriel-samfira, how would you envisage this working on Linux? On windows we have a cert store and so the client specifies a thumb print ID for it and windows can find it from there. On Linux my understanding is this is not the case and certs can be thrown all over the place. I am guessing that specify the location of the cert file itself would be the best solution. Thoughts?

paulcallen avatar Jan 12 '17 19:01 paulcallen

I think you have a few options here. It depends on how deep you want to go into this particular rabbit hole. On linux there are a few standard locations to store certificates and keys in. Commonly, trusted root certificates are stored in /etc/ssl/certs. This would be the equivalent of cert:\LocalMachine\Root.

Any keys you generally want to generate, should go in /etc/ssl/private (although this is not mandatory, especially in a multi-tenant deployment - which is the vast majority of Linux deployments).

There are other mechanisms to manage keys in Linux. Another commonly available application in any desktop Linux distribution is Seahorse, which also has a DBUS API, which allows users to query/watch user's keys. More info on that here: https://wiki.gnome.org/Apps/Seahorse/DBus . That however is desktop environment specific.

Another option would be to emulate the way OpenSSH does things. Have a $HOME/.x509 folder on the system, create a cert:\ PSDrive on top of that, and a very thin abstraction that allows powershell to query it the same way it queries the windows APIs.

Not familiar enough with powershell core code to know if this is feasible or not.

If specifying the physical location on disk to the certificate and corresponding key is the easiest and cleanest way to do it, I am all for it. :-)

gabriel-samfira avatar Jan 13 '17 11:01 gabriel-samfira

thanks @gabriel-samfira. I appreciate your input.

paulcallen avatar Jan 13 '17 17:01 paulcallen

If specifying the physical location on disk to the certificate and corresponding key is the easiest and cleanest way to do it, I am all for it. :-)

I would second this. Most software that I use on linux just has you explicitly specify a file paths for PEM encoded cert and key.

see consul, kubectl, and etcdctl

tam7t avatar May 03 '17 01:05 tam7t

@tam7t I appreciate your input. Thanks.

Adding a reference to OMI issue as that is where this would need to get implemented first, Microsoft/omi#302

paulcallen avatar May 03 '17 18:05 paulcallen