##(see the SpecSpec for an explanation)

 * '''Launchpad Entry''': UbuntuSpec:server-lucid-easy-pki
 * '''Created''': 2009-11-20
 * '''Contributors''': ThierryCarrez
 * '''Packages affected''':

== Summary ==

Provide a new tool to easily manage a public-key infrastructure, for use with server packages shipped in Ubuntu.

== Release Note ==

The new upki tool allows to easily create and deploy certificates and public/private keypairs for use with various server stacks in Ubuntu Server, including openvpn.

== Rationale ==

Several packages make use of SSL certificates and public/private keys. They all tend to ship their own tools (apache2-ssl-certificate for apache2) which sometimes are not packaged in a usable way (easy-rsa for openvpn). Those tools are all different, sometimes only produce self-signed certificates, can be complex and don't handle deployment. So, rather than packaging and shipping a separate tool for each stack, it makes sense to provide a single CLI tool to manage a simple CA that can support all the different package needs.

== User stories ==

 * As a openvpn user, I want to generate certificates and keys for my VPN setup. I use upki (with its openvpn plugin) and it creates and deploys the required items for me.
 * As an apache2 sysadmin, I want to generate a certificate for my HTTPS website. I use upki (with its apache2 plugin) and it generates a certificate signed by my own local CA.
 * As the same apache2 sysadmin, I want to get a certificate for my website that is recognized by default on browsers. I use upki to generate a CSR and send it to the external CA of my choice.

== Assumptions ==

== Design ==

 * Python-based
 * upki core handles key generation
 * service-specific "plugins" expose commands meaningful to that specific service

== Implementation ==

tbd.

== Test/Demo Plan ==

tbd.

== Unresolved issues ==

None.

== BoF agenda and discussion ==

=== UDS discussion notes ===

==== Objectives ====
 * User-friendly interface to certificate generation
 * Service-oriented plugins for deployment and service-specific needs

==== Options ====
 * Package easy-rsa
  * Low-cost, but non-extensible
  * Not suitable for all use cases (i.e. it has some bias towards OpenVPN use)
  * Potentially a worthy goal simply for OpenVPN users, since the current packaging is not ideal
  * Upstream designed it from a "run script in CA directory" perspective, will need a delta with upstream to be FHS-compliant
 * upki: rewrite easy-rsa in python, same feature set, extensible for, say, publication
 * openca
  * more complete solution
  * upstream not very active but CAcert still contributing to it

==== Timeframe ====
 * easy-rsa for Lucid (or basic upki)
 * upki for the next LTS cycle

==== Brainstorm ====
 * Wizard mode, that could help in generating a CSR, showing some snippets of config file, etc
 * Is there an official group to chown certs to? ie: same cert for Postfix + Apache (yes, ssl-cert)
 * How to deal with ssl certs for Apache virtual hosting
 * OpenLDAP: need to work with self-signed (add tls_checkpeer and TLS_REQCERT in the ldap.conf file?)
 * some kind of notification that certificate will expire in X days
  * motd entry, email, nagios/nrpe check
 * install easy-pki with openssl (it should be small, so it won't take precious resources)

----
CategorySpec