Egothor/ZeroEcho
2
0
Fork 0
Code Issues 15 Pull Requests Actions Packages Projects 1 Releases 2 Wiki Activity

Define a first-class certificate profile engine for X.509 issuance #4

New Issue
Open
opened 2026-03-24 17:57:14 +01:00 by galambos · 0 comments
galambos commented 2026-03-24 17:57:14 +01:00
Owner
Copy Link

Introduce a profile layer above the current PKI/X.509 foundation so that issuance behavior can be driven by reusable certificate profiles rather than by ad hoc attribute wiring. This profile engine should become the basis for concrete templates such as MikroTik IPsec, Windows IPsec, OpenSwan IPsec, nginx/TLS server certificates, user certificates, infrastructure certificates, and later ACME-driven issuance.

Why this matters

The current PKI/X.509 base is a good substrate for issuance and status handling, but regulated deployments need controlled, reviewable, profile-driven issuance rather than raw framework attributes and one-off issuance rules.

Acceptance criteria

  • Introduce a profile model that defines mandatory/optional attributes, SAN rules, KU/EKU policies, CA/leaf constraints, validity limits, and approval requirements.
  • Separate framework-neutral profile intent from X.509 rendering.
  • Make profile evaluation deterministic and auditable.
  • Prepare profile hooks for later ACME enrollment and approval workflows.
  • Add enterprise-grade JavaDoc for all new public/SPIs.
Introduce a profile layer above the current PKI/X.509 foundation so that issuance behavior can be driven by reusable certificate profiles rather than by ad hoc attribute wiring. This profile engine should become the basis for concrete templates such as MikroTik IPsec, Windows IPsec, OpenSwan IPsec, nginx/TLS server certificates, user certificates, infrastructure certificates, and later ACME-driven issuance. ## Why this matters The current PKI/X.509 base is a good substrate for issuance and status handling, but regulated deployments need controlled, reviewable, profile-driven issuance rather than raw framework attributes and one-off issuance rules. ## Acceptance criteria - Introduce a profile model that defines mandatory/optional attributes, SAN rules, KU/EKU policies, CA/leaf constraints, validity limits, and approval requirements. - Separate framework-neutral profile intent from X.509 rendering. - Make profile evaluation deterministic and auditable. - Prepare profile hooks for later ACME enrollment and approval workflows. - Add enterprise-grade JavaDoc for all new public/SPIs.
galambos added this to the PKI Foundation Hardening and Regulated Operations Roadmap project 2026-03-24 18:56:06 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project PKI Foundation Hardening and Regulated Operations Roadmap
Assignees
Clear assignees
galambos gitea-ci
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Egothor/ZeroEcho#4
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?