[ovs-dev] ovs-pki: Without CRLs, is there any reason to use distinct secret keys?

Matthew Booth mbooth at redhat.com
Thu Oct 1 13:54:38 UTC 2020

I'm developing a kubernetes operator for deploying 'ovn-central' (nb,
sb, and northd). I'm trying to decide whether it's worth generating
separate secret keys for each actor in a raft cluster, actors being:

* each individual server in the raft cluster
* each individual client (e.g. ovn-controller/northd/neutron)

My initial thought was yes, of course. However, it occurred to me that
without CRL support in ovsdb-server it is impossible to revoke a
compromised certificate without changing the CA. This in turn requires
changing all certs, which seems functionally equivalent to all
services using the same cert.

Has anybody given this any thought? Are there any alternate
authentication methods which might work better?


Matthew Booth
Red Hat OpenStack Engineer, Compute DFG

Phone: +442070094448 (UK)

More information about the dev mailing list