django-ca Save private key and ocsp in database

Is there a way to store private key and ocsp files in the database instead of in file?

I have some limits in my servers and using files exclusively for these, which has resulted in a slowdown

Jul 23 '24 07:07 mymy47

Would love this, Great for using in Kubernetes

Jul 23 '24 09:07 antt1995

Hi,

This is currently not possible, as storing them in the database is a security risk. The frontend webserver should not have access to the private keys... but needs access to the database.

I have some limits in my servers and using files exclusively for these, which has resulted in a slowdown

Can you details those limits and where the slowdown occurs? OCSP keys should usually be in the cache, making them very fast, and signing private keys can hardly be the limiting factor (and occurs in the Celery worker anyway).

Great for using in Kubernetes

Do you really have no way of storing files there?

kr, Mat

Jul 26 '24 19:07 mathiasertl

@mathiasertl

I want to run it in Kubernetes, but there are significant file limitations. In Kubernetes, Using a database is more secure and reliable than relying on files.

Jul 27 '24 13:07 mymy47

So, I believe the only solution for me is to use django-db-file-storage.

Jul 27 '24 13:07 mymy47

At present, that would be a solution, yes.

However dynamic backend support could be used to implement storage in the database. If you're willing to try a PR, I'm happy to assist, otherwise I can't commit to implementing this before 2.1.

Jul 28 '24 16:07 mathiasertl

Hi @mymy47 ,

2.1.0 will implement this feature using a backend for storing keys. Please see the docs for more information. Would be glad if you try this for your setup.

kr, Mat

Dec 08 '24 19:12 mathiasertl