Skip to content

Commit

Permalink
Add client-initiated certificate request flow (CSR)
Browse files Browse the repository at this point in the history
Resolves #13

Uses [Development] label as the indication of the least
mature level proposed in this upcoming OTEP:
open-telemetry/oteps#232
  • Loading branch information
tigrannajaryan committed Jul 20, 2023
1 parent 43bbc69 commit 7488bc6
Showing 1 changed file with 10 additions and 2 deletions.
12 changes: 10 additions & 2 deletions specification.md
Original file line number Diff line number Diff line change
Expand Up @@ -1483,6 +1483,8 @@ without disrupting the access to all other Agents.

#### Agent-initiated CSR Flow

Status: [Development]

This is an Agent-initiated flow that allows the Client to send a Certificate
Signing Request (CSR) to the Server and obtain a self-signed or CA-signed client
certificate that the Client can use for subsequent OpAMP connections.
Expand Down Expand Up @@ -1547,7 +1549,8 @@ The sequence is the following:
will be set to the CA's public key. The private_key field will not be set, since in
this flow the Agent possesses the private key and the Server does not possess it.
- (8) Upon successful completion of verification of the offered new client certificate,
the Agent removes the bootstrap certificate.
the Agent removes the bootstrap certificate if one was used and uses the new
certificate for future connections.

When sending OpAMPConnectionSettings to the Agent the Server MAY include fields
other than `certificate`, thus enabling the Server to replace Agent's certificate,
Expand All @@ -1557,8 +1560,13 @@ If any of the steps 4-6 fails the Server MUST respond to the Agent with a
[ServerErrorResponse](#servererrorresponse-message) with the `type` field set
to `ServerErrorResponseType_BadRequest`.

The exact same flow may be used by the Agent to re-request a new certificate anytime.
For example the Agent may do it when the current certificate expiration date approaches.

##### Using instance_uid in the CSR

Status: [Development]

The implementation may choose to use Agent's instance_uid as one of the CSR fields
(or part of the field) and the Server may in such implementations verify that the
connecting Agent's instance_uid in the payloads matches the certificate's content.
Expand All @@ -1574,7 +1582,7 @@ of the instance_uid requires re-generation of the client certificate. Such chang
possible for example if the Server instructs the Agent to use a new instance_uid
via [new_instance_uid](#servertoagentagent_identification) field.

When instructed by the Server to changes its instance_uid the Agent must also repeat the
When instructed by the Server to change its instance_uid the Agent must also repeat the
[Agent-initiated CSR Flow](#agent-initiated-csr-flow) this time using the new
instance_uid as one of the CSR fields. The Server must be ready to receive a CSR like
that, while the Agent is still using the old certificate that contains the old
Expand Down

0 comments on commit 7488bc6

Please sign in to comment.