<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Don't we have ansible on modern systems to be managed like that?</p>
<p>I doubt we want API to manage keys for specific applications.
Sure, we may have simplify creation of self-signed certificates
with key pair. We may standardize generation of certificate
request with a key, but I doubt we want incompatible system
reimplemented by systemd.</p>
<p>It would be nice to have a common way to do some operations, but
we have multiple crypto libraries on Linux. We certainly do not
want throw all other away and start using just single one.</p>
<p>I think it would be nice if you share first the motivation for
your request. What problem are you trying to solve? What tasks are
difficult now? In what software you need them solved?</p>
<p>I think keys can be stored in pkcs11 storage. But a common
storage for any application seems wrong, we want permissions
separate for each app. I don't think a copy Windows API is a way
to go.</p>
<p>I think most services requires Let's Encrypt style refreshes of
certs. Sure, a good library for integration in existing software
would help. But please do not add yet another reimplementation to
systemd. It already does too many different things in single
project.</p>
<p>Regards,<br>
Petr<br>
</p>
<div class="moz-cite-prefix">On 5/25/22 20:59, SCOTT FIELDS wrote:<br>
</div>
<blockquote type="cite"
cite="mid:MN2PR14MB30554D0691F9388A8B720F958AD69@MN2PR14MB3055.namprd14.prod.outlook.com">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<div class="WordSection1">
<p class="MsoNormal"><span>The only tools I know of that manage
the files in /etc/pki are part of “ca-certificates” and they
only manage the CAs, not general app specific public/private
keys.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>And even so, command line tools
aren’t APIs.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>The prime reason you want an actual
API that’s widely available is it encourages other solution
providers to leverage it.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Again, the CAPI/CNG API in Windows Is
an example.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>You can very easily manage all kinds
of key management via a central API, and in turn, you can
then leverage that infrastructure in other tools.<br>
<br>
What I would then like to see is an engine for OpenSSL be
able to leverage this and then have access to the keychain
infrastructure without the file management involved.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>This is something you can do with
OpenSSL on Windows via the CAPI engine (or other API
solutions that have their own engine solution in OpenSSL),
for instance.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Since most secure products in Linux
use OpenSSL, this almost immediately would also give them
access to a centrally managed keystore.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>That’s what I would like to see.</span></p>
<p class="MsoNormal"><span> </span></p>
<div>
<p class="MsoNormal"><b><span>From:</span></b><span> Barry
Scott <a class="moz-txt-link-rfc2396E" href="mailto:barry@barrys-emacs.org"><barry@barrys-emacs.org></a>
<br>
<b>Sent:</b> Wednesday, May 25, 2022 1:30 PM<br>
<b>To:</b> SCOTT FIELDS <a class="moz-txt-link-rfc2396E" href="mailto:Scott.Fields@kyndryl.com"><Scott.Fields@kyndryl.com></a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:systemd-devel@lists.freedesktop.org">systemd-devel@lists.freedesktop.org</a><br>
<b>Subject:</b> [EXTERNAL] Re: [systemd-devel] certificate
and trust store feature for systemd</span></p>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal"><span>On 25 May 2022, at 19:22, SCOTT
FIELDS <<a href="mailto:Scott.Fields@kyndryl.com"
moz-do-not-send="true" class="moz-txt-link-freetext">Scott.Fields@kyndryl.com</a>>
wrote: If you’re referring to files in /etc/pki, that’s
not a management API, like CAPI or CNG provides in Windows
(and a like API in OSX). There are tools that you run
</span></p>
</div>
<div>
<p class="MsoNormal"><span></span></p>
</div>
<p class="MsoNormal"><span> </span></p>
<div>
<p class="MsoNormal"><span><br>
<br>
</span></p>
<blockquote>
<div>
<p class="MsoNormal"><span>On 25 May 2022, at 19:22, SCOTT
FIELDS <<a href="mailto:Scott.Fields@kyndryl.com"
moz-do-not-send="true" class="moz-txt-link-freetext">Scott.Fields@kyndryl.com</a>>
wrote:</span></p>
</div>
<p class="MsoNormal"><span> </span></p>
<div>
<div>
<p class="MsoNormal"><span>If you’re referring to files
in /etc/pki, that’s not a management API, like CAPI
or CNG provides in Windows (and a like API in OSX).</span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
<p class="MsoNormal"><span>There are tools that you run that
manage the files. Sorry I do not have the details in front
of me.</span></p>
</div>
<div>
<p class="MsoNormal"><span>The tools are the API at least for
trust store from what I recall when I set it up.</span></p>
</div>
<div>
<p class="MsoNormal"><span><br>
<br>
</span></p>
<blockquote>
<div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
<div>
<p class="MsoNormal"><span>There’s a keychain solution
in Gnome (GNOME/Keyring) but not widely adopted that
I’ve seen.</span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
<div>
<p class="MsoNormal"><span>I use KDE and the kwallet is used
in most apps I use. If there is an app in gnome that is
not using the keyring</span></p>
</div>
<div>
<p class="MsoNormal"><span>then that a problem with the app
surely, not the API?</span></p>
</div>
<p class="MsoNormal"><span><br>
<br>
</span></p>
<blockquote>
<div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
<div>
<p class="MsoNormal"><span>This just seems a good match
to have available within systemd</span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
<div>
<p class="MsoNormal"><span>I do not speak for systemd, just
curious about why you think this is needed.</span></p>
</div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
<div>
<p class="MsoNormal"><span>Barry</span></p>
</div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
<p class="MsoNormal"><span><br>
<br>
</span></p>
<blockquote>
<div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
<div>
<div>
<p class="MsoNormal"><b><span>From:</span></b><span
class="apple-converted-space"><span> </span></span><span>Barry
Scott <<a href="mailto:barry@barrys-emacs.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">barry@barrys-emacs.org</a>><span
class="apple-converted-space"> </span><br>
<b>Sent:</b><span class="apple-converted-space"> </span>Wednesday,
May 25, 2022 1:16 PM<br>
<b>To:</b><span class="apple-converted-space"> </span>SCOTT
FIELDS <<a
href="mailto:Scott.Fields@kyndryl.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">Scott.Fields@kyndryl.com</a>><br>
<b>Cc:</b><span class="apple-converted-space"> </span><a
href="mailto:systemd-devel@lists.freedesktop.org" moz-do-not-send="true"
class="moz-txt-link-freetext">systemd-devel@lists.freedesktop.org</a><br>
<b>Subject:</b><span class="apple-converted-space"> </span>[EXTERNAL]
Re: [systemd-devel] certificate and trust store
feature for systemd</span></p>
</div>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<div>
<p class="MsoNormal"><span>On 25 May 2022, at 14:06,
SCOTT FIELDS <<a
href="mailto:Scott.Fields@kyndryl.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">Scott.Fields@kyndryl.com</a>>
wrote: I apologize for the very general inquiry.
Are there any plans to have system natively
support its own trust store for items like CAs,
x509 certs, passwords &</span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span><br>
<br>
<br>
</span></p>
</div>
<blockquote>
<div>
<div>
<p class="MsoNormal"><span>On 25 May 2022, at
14:06, SCOTT FIELDS <<a
href="mailto:Scott.Fields@kyndryl.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">Scott.Fields@kyndryl.com</a>>
wrote:</span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span>I apologize for the
very general inquiry.</span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span>Are there any plans
to have system natively support its own
trust store for items like CAs, x509 certs,
passwords & truststores akin to the
keychain in Windows and OS X?</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span>But these are solved
problems on modern Linux systems aren't they?</span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span>At least with RHEL and
Fedora they have trust store and keychains.</span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span><br>
<br>
<br>
</span></p>
</div>
<blockquote>
<div>
<div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span>I still find the
management of PKIs in /etc/pki to be
problematic.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span>For my home network I have
my own DNS domain and CA setup. It was easy to add
the CA to</span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span>Fedora's trust store.</span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span><br>
<br>
<br>
</span></p>
</div>
<blockquote>
<div>
<div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span>Having this available
as a core service within systemd using like
APIs either in (mostly deprecated) CAPI or
the new CNG</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span>Barry</span></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span><br>
<br>
<br>
</span></p>
</div>
<blockquote>
<div>
<div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span>Scott Fields</span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span>IBM/Kyndryl</span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span>SRE – BNSF</span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span>817-593-5038 (BNSF)</span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span><a
href="mailto:scott.fields@kyndryl.com"
moz-do-not-send="true"><span>scott.fields@kyndryl.com</span></a></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span><a
href="mailto:scott.fields@bnsf.com"
moz-do-not-send="true"><span>scott.fields@bnsf.com</span></a></span></p>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><span> </span></p>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Petr Menšík
Software Engineer
Red Hat, <a class="moz-txt-link-freetext" href="http://www.redhat.com/">http://www.redhat.com/</a>
email: <a class="moz-txt-link-abbreviated" href="mailto:pemensik@redhat.com">pemensik@redhat.com</a>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB</pre>
</body>
</html>