How to organize PKI correctly?

A

Alex2021-12-16 16:16:21

Information Security

Alex, 2021-12-16 16:16:21

Hey! I read about the organization of my PKI and did not quite understand one thing.
Let's say I have a Kubernetes cluster, a MongoDB ReplicaSet, a Consul cluster, and an OpenVPN server. Certificates are used everywhere for authentication. As I understand it, if we have one root CA for everything (offline) and one intermediate, then all certificates will be issued by one certification authority (that is, they trust each other among themselves).
Does this mean that, say, an OpenVPN user can take their certificate and use it to join their node to, for example, a Consul cluster? Or is it possible to take a certificate that uses Kubernetes and successfully log in to OpenVPN? If yes, then it turns out that you need to make a separate CA for each type of service? Or is there some other way to make restrictions?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

CityCat4, 2021-12-16
@CityCat4

I read about the organization of my PKI and did not quite understand one thing

Judging by the op question, it was worth writing "I didn’t understand nichrome, so I can’t even really explain what I need."
PKI is a hierarchical structure for issuing X.509 certificates, which are essentially tamper-proof files containing some set of data (if you abstract from the web of trust, since no one trusts your own CA) that you transfer between some services and services. How these files will be used is your own business, what data you put in is what you check.
Different restrictions can be implemented in different ways, it all depends on what you need.
In mail, a certificate is used for encryption
On the web, for verifying the authenticity of a name
In a VPN, for authenticating parties