Users should be able to reset their coordinator credentials #34
Comments
|
I started looking into how to do this. It is easy to generate new client certificates (just do the same thing we did to generate them), but with our current setup it would be impossible to revoke them. Revocation works by maintaining a Certificate Revocation List (CRL) in the file system, but because the CA is duplicated across the two servers, there is no clean way to maintain consistency between the CRL in each server (i.e. users invalidating certificates would happen on the user server, which would have no effect on the CRL being used by the device server). I'm checking with the OSL if there is any way to share a secure file storage between the servers. This would be the simplest solution. |
|
The OSL does not have any shared file storage. They suggested setting up an NFS. I don't know anything about what that would look like. |
Is your feature request related to a problem? Please describe.
If a coordinators credentials are lost or leaked there is currently no way to get new ones without creating a whole new network.
Describe the solution you'd like
A user interface to request new coordinator credentials for a network. This would be access restricted (only to owners?) and on the api side would generate a new client certificate/key, replace the database fingerprint, and (if possible) invalidate the old certificate (maybe make this optional?).
The text was updated successfully, but these errors were encountered: