TLS PC + service generated #436
Comments
|
Could you elaborate more? Is this for using VCert CLI along with local configuration file? Could you provide an example of what you are expecting? |
|
When using a playbook file with the following settings in a playbook: TLS PC will reject this request if it's not compliant with the policy (e.g. OU does not match), even if it's set to service generated. The behavior of TPP is more admin & user-friendly as TPP will enforce the policy. It enables to enforce and make changes to a policy without breaking all existing playbooks. |
|
I think the challenge here is how to handle the fact that a Certificate Issuance Template on TLSPC can be very different than TPP. There is no concept of "locked", and you can also supply multiple criteria that are OR'd together. These can also be regex. Take this use case for example: What would vCert set the Organization to if the user did not provide it?
|
BUSINESS PROBLEM
End users are not informed about the policies set in TLS PC. Currently, they must verify that all CSRs, both local and service, adhere to the specified policy. This issue is not limited to a one-time setup occurrence. Whenever there is a change in policy, it is necessary to update all endpoints to meet the new policy requirements.
PROPOSED SOLUTION
Whether a Certificate Signing Request (CSR) is designated as local or service, vcert should pull the policy and generate the CSR accordingly, eliminating the need for local definition. This approach would provide centralized policy control and simplify the process for end users particular when policies change
CURRENT ALTERNATIVES
modifying the requests, which can mean touching lots of endpoints to match the (new) policy.
VENAFI EXPERIENCE
felt in love with Venafi in 2016
The text was updated successfully, but these errors were encountered: