From 7488bc623f44100b716c7b18cb979ddfcc21b2e8 Mon Sep 17 00:00:00 2001 From: Tigran Najaryan Date: Wed, 19 Jul 2023 15:12:31 -0400 Subject: [PATCH] Add client-initiated certificate request flow (CSR) Resolves https://github.com/open-telemetry/opamp-spec/issues/13 Uses [Development] label as the indication of the least mature level proposed in this upcoming OTEP: https://github.com/open-telemetry/oteps/pull/232/ --- specification.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/specification.md b/specification.md index 0fe93f5..8228caf 100644 --- a/specification.md +++ b/specification.md @@ -1483,6 +1483,8 @@ without disrupting the access to all other Agents. #### Agent-initiated CSR Flow +Status: [Development] + This is an Agent-initiated flow that allows the Client to send a Certificate Signing Request (CSR) to the Server and obtain a self-signed or CA-signed client certificate that the Client can use for subsequent OpAMP connections. @@ -1547,7 +1549,8 @@ The sequence is the following: will be set to the CA's public key. The private_key field will not be set, since in this flow the Agent possesses the private key and the Server does not possess it. - (8) Upon successful completion of verification of the offered new client certificate, - the Agent removes the bootstrap certificate. + the Agent removes the bootstrap certificate if one was used and uses the new + certificate for future connections. When sending OpAMPConnectionSettings to the Agent the Server MAY include fields other than `certificate`, thus enabling the Server to replace Agent's certificate, @@ -1557,8 +1560,13 @@ If any of the steps 4-6 fails the Server MUST respond to the Agent with a [ServerErrorResponse](#servererrorresponse-message) with the `type` field set to `ServerErrorResponseType_BadRequest`. +The exact same flow may be used by the Agent to re-request a new certificate anytime. +For example the Agent may do it when the current certificate expiration date approaches. + ##### Using instance_uid in the CSR +Status: [Development] + The implementation may choose to use Agent's instance_uid as one of the CSR fields (or part of the field) and the Server may in such implementations verify that the connecting Agent's instance_uid in the payloads matches the certificate's content. @@ -1574,7 +1582,7 @@ of the instance_uid requires re-generation of the client certificate. Such chang possible for example if the Server instructs the Agent to use a new instance_uid via [new_instance_uid](#servertoagentagent_identification) field. -When instructed by the Server to changes its instance_uid the Agent must also repeat the +When instructed by the Server to change its instance_uid the Agent must also repeat the [Agent-initiated CSR Flow](#agent-initiated-csr-flow) this time using the new instance_uid as one of the CSR fields. The Server must be ready to receive a CSR like that, while the Agent is still using the old certificate that contains the old