GNOI Cert Proto: How to associate a installed certificate with endpoint/application

[kiravi23]

Hi,

GNOI certs provide "LoadCertificate" RPC to install certificate. How to link/associate this certificate to an endpoint/application.
Quoting below example for more context.

Two application is using certificates for TLS connection in target device.

1. HTTPS application
2. Syslog application

If user/admin install two certificates using the above RPC in target device.
Where is the association of these certificate with application ? I mean which application uses which certificate for TLS connection

I am not able to find an option to link the endpoint in GNOI Cert Proto.
Can some one clarify here

Regards
Kishore

[samribeiro]

Hi Kishore,

This is an Application specific config, where you assign the certificate_id that was created at the time you installed the certificate: https://github.com/openconfig/gnoi/blob/master/cert/cert.proto#L346

Additionally and optionally, work to augment the list of Endpoints available in order to inform telemetry to what endpoints the certificate is assigned to: https://github.com/openconfig/gnoi/blob/master/cert/cert.proto#L434

Cheers,
Sam

[kiravi23]

Hi Sam,

Thanks for the swift reply.

I did understand the certificate_id option. I believe its a pre-defined string in the target device to map to an application.

But need some clarity when the target device do not support generating CSR.
In that case the client will set the certificate_id on behalf of the target. since certificate_id is a string client can set any certificate_id which the target may or may not support.

Should the target error out incase of certificate_id which is not pre-defined names in target ?

https://github.com/openconfig/gnoi/blob/master/cert/cert.proto#L291

Regards
Kishore

[gsindigi]

Sam,

I too had similar questions; how does the association between certificate_id and any of daemons be achieved? Do we have it as part of any of config models ? Once a certificate is installed on target, how it can be made effective for various daemons/sub-systems? I did not see them, but I might have overlooked as well .
Can list of Endpoints in the proto augmented similar to a yang augmentation? Or you mean have PR to update this proto file?

Thanks.

[samribeiro]

Hi Kishore,

The certificate_id is always set by the client. The particular comment you are pointing at happens during a stream where the certificate_id is irrelevant because a previous message in the stream already stated the desired certificate_id.

What you are looking for is explained here instead:
https://github.com/openconfig/gnoi/blob/master/cert/cert.proto#L270

Cheers,
Sam

[samribeiro]

@gsindigi

I am aware of two models that supports it:
https://github.com/openconfig/public/blob/master/release/models/openflow/openconfig-openflow.yang#L155
https://github.com/openconfig/public/blob/master/release/models/system/openconfig-system-grpc.yang#L148
Likelly there are others but I am not aware of them.

Regarding the Endpoints, the proto would need to be augmented. However I have not seen the Endpoints being used yet, so one (perhaps preferred) alternative would be to iterate on the proto and replace the Endpoints with a String that is descriptive of the association. This would avoid having to augment the the proto every time a new "endpoint" comes up.

Cheers,
Sam

[kiravi23]

Hi Sam,

I am asking about case 2, the link mentioned below. In this case LoadCertificate RPC will be the first one to be called in the stream. And it will be called from client, who will not know anything about targets Certificate_id

https://github.com/openconfig/gnoi/blob/master/cert/cert.proto#L275

Regards
Kishore

[samribeiro]

Hi Kishore,

I am not sure I understand correctly what you are describing, but the assertion that the client does not know anything about the Target's certificate_id is not correct. It is exactly the Client that manages the certificate_ids used in the Target.

Cheers,
Sam