Details
-
Improvement
-
Resolution: Fixed
-
Major
-
Cheshire-Cat
-
1
Description
Problem: Currently there is one cluster root CA + one root cert for ldap server + one root ca for remote xdcr server. In all those cases it would be super useful or even absolutely necessary to be able to specify at least 2 root certs in order to do seamless cert rotation (on local cluster or remote ldap or xdcr clusters).
Suggested solution: ns_server should maintain a single list of all trusted CAs that will include all the root certs that couchbase server should trust, including ldap servers, xdcr server and so on. There should be no difference between cluster root cert, xdcr root cert or ldap root cert. All these trusted certs will be used for all outgoing TLS connections (node2node encryption, xdcr, ldap).
Customers should be able to manage (view, add, remove) the list of trusted certificates via UI and CLI.
Attachments
Issue Links
- relates to
-
MB-50033 XDCR mTLS Appears Broken
- Closed
-
DOC-8715 Multiple Root CA Certs
- Resolved
-
MB-47172 Multiple Root CA Certs management (couchbase-cli)
- Closed
-
MB-47174 [CBBS] Multiple Root CA Certs
- Closed
-
MB-47179 Multiple Root CA Certs - Analytics
- Closed
-
MB-48210 [CLI Tools] Multiple Root CA Certs
- Closed
-
K8S-2287 Multiple Root CA Certs - CAO
- Closed
-
MB-47171 Multiple Root CA Certs - KV
- Closed
-
MB-47173 Multiple Root CA Certs - XDCR
- Closed
-
MB-47175 Multiple Root CA Certs - Query
- Closed
-
MB-47176 Multiple Root CA Certs - Index
- Closed
-
MB-47177 Multiple Root CA Certs - FTS
- Closed
-
MB-47178 Multiple Root CA Certs - Eventing
- Closed
-
MB-47180 Multiple Root CA Certs - Views
- Closed
-
MB-47181 Multiple Root CA Certs - UI
- Closed
- links to