JavaScript isn't enabled in your browser, so this file can't be opened. Enable and reload.

1 of 11

OMG! TLS (Layer)

Charmer Summit - 2016 Gent

2 of 11

Consider the following

Client Communication

Peer communication

Charm to Charm communication

Confidential Canonical™

3 of 11

Consider the following

Client Communication

Peer communication

Charm to Charm communication

Confidential Canonical™

4 of 11

Leader

Generates a CA unless provided
Generates a certificate
Signs any incoming CSR’s
Coordinates CSR/Certs among many services (complicated)

Confidential Canonical™

5 of 11

Follower

Receives the Certificate Authority �from leader�
Imports the CA to local keyring�
Generates a CSR and submits to�leader

Confidential Canonical™

6 of 11

Layer.yaml

includes: [‘layer:tls’]

Confidential Canonical™

7 of 11

Key Party!

from charmhelpers.core import unitdata�

@when(‘signed certificate available’)

def install_tls_certificate():

database = unitdata.kv()� cert = database.get('tls.server.certificate')

Confidential Canonical™

8 of 11

9 of 11

Alternate designs?

What about a TLS charm that can hand out certificates upon relation?

10 of 11

Community contributions already!

the same week we released the tls-layer

11 of 11

We welcome feedback, bugs, and pull requests!

https://github.com/mbruzek/layer-tls