Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider shorter X.509 certificate lifetimes #4299

Open
tashian opened this issue Nov 30, 2020 · 5 comments
Open

Consider shorter X.509 certificate lifetimes #4299

tashian opened this issue Nov 30, 2020 · 5 comments
Assignees
@bb7133
Labels
lifecycle/frozen Issues with this label will not be labeled as "stale".

Comments

@tashian
Copy link

tashian commented Nov 30, 2020

Change Request

  1. Describe what you find is inappropriate or missing in the existing docs.

The certificate-based authentication docs suggest minting 1,000-year TLS certificates for authentication. 1,000 years is a very long validity period. Have you considered 90 days or less?

  1. Describe your suggestion or addition.

Short-lived certificates are much safer, especially for client authentication (where client certs and keys are more likely to moved around and more easily exfiltrated). If nothing else, it'd be great for the docs to point to resources on best practices for certificate management in production. For configuring automated renewal, it'd also be helpful to know when certificate files are read by TiDB. Does TiDB need to be restarted? Sent a HUP signal? Or, are certificates files read on every new connection?

A more gourmet option is for TiDB to build in support for being an ACME client (the protocol used by Let's Encrypt).

  1. Provide some reference materials (documents, websites, etc) if you could.

My company (Smallstep Labs) has created an open-source X.509 CA that makes minting and renewing certificates easy. Here's a tutorial for automating x.509 certificate lifecycle management.
@github-actions
Copy link

This issue is stale because it has been open for 60 days with no activity. If no comment has been made and the lifecycle/stale label is not removed, this issue will be closed in 15 days.

@github-actions github-actions bot added the lifecycle/stale This issue has been open for 60 days with no activity. label Jan 30, 2021
@github-actions
Copy link

This issue will be closed because it has been stale for 15 days with no activity. If you still have any question about this issue, feel free to reopen it or create a new one.

@TomShawn TomShawn reopened this Feb 18, 2021
@TomShawn TomShawn removed the lifecycle/stale This issue has been open for 60 days with no activity. label Feb 18, 2021
@TomShawn
Copy link
Contributor

@tashian Thanks very much for such detailed feedback!
@bb7133 Shall we consider updating this document?

@TomShawn TomShawn added the lifecycle/frozen Issues with this label will not be labeled as "stale". label Feb 18, 2021
@tashian
Copy link
Author

tashian commented Feb 22, 2021

You're welcome @TomShawn and I'm happy to discuss further

@dveeden
Copy link
Contributor

dveeden commented Apr 6, 2021

I think there are three separate things in this issue:

  1. A feature request for ACME support in TiDB
  2. A request to document the certificate rollover procedure
  3. Use a 90 days or less validity to better align with best practices

I think the two different scenarios here are:

  • Manual certificate renewal: Here a 1 year or so validity period probably makes sense.
  • Automated certificate renewal: With the tools described above or with something like Netflix Lemur

@dveeden dveeden mentioned this issue Apr 20, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bb7133 bb7133

Labels
lifecycle/frozen Issues with this label will not be labeled as "stale".
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tashian @bb7133 @dveeden @TomShawn