Typically, PKI actions result in updates to a number of files, e.g., index.txt, serial, etc. where the OpenSSL library/binary runs.
However, this could be problematic where the PKI infra is hosted on PaaS providers, e.g., Heroku. Reason being, there is no file system persistence between different VM's.
VM-1 could be issuing certificates and updating files without a-priori knowledge of what VM-2 might have already done, e.g., issue another certificate to the same entity.
Ideally, one would have a mechanism or a framework where the PKI data would be stored on a central database database (PostgreSQL, Redis, etc.)
As new transactions complete, resultant data would be written to the central database instead of files on a specific filesystem where the OpenSSL library is installed.
2 questions:
- Is there such a framework?
- Are there any security implications (with potential remedies)?
Aucun commentaire:
Enregistrer un commentaire