User Story

There are quite a lot of self-signed SSL certificates are used by users of PortaSwitch. To reduce the burden of support's work/maintenance it is reasonable to automate regeneration of such certificates and keys before expiration date.

Use Cases

Use case #1: Initial configuration of self-signed SSL certificates generation

Roles: Administrator, configurator agent

Use scenario #1.1: Initial configuration of self-signed SSL certificates generation

Scenario:

Administrator installs or upgrades PortaSwitch via regular install/upgrade routines.

Administrator installs new version of packages. Among those configurator agent package is installed along with it's config files including etc/agent-tasks.conf. The latter contains settings required for SSL certificates generation. In particular it contains the following data

• SSL key length (2048 bits);
• Regenerate self-signed certificate (14 days before expiration).

Use case #2: Initial generation of self-signed SSL certificate

Roles: Administrator, configurator, configurator agent

Preconditions: 

• initial setup (Use Case #1) was performed or default values are used otherwise;
• SSL certificate/key are absent on the given server.

Use scenario #2.1: Initial generation of self-signed SSL certificate

Scenario:

Administrator creates a configuration with PortaAdmin instance. He sets VirtualHosts.admin_server_name=mega-itsp.com and applies a configuration on 2015-01-10.
Configurator agent accepts pushed configuration, fetches configuration files from a Configurator and starts processing those. configurator agent generates self-signed SSL key/certificates by means of bin/gencert.sh utility (uses embedded PortaOne CA). bin/gencert.sh is provided additional parameter with a value taken from SSL key length (2048). A new self-signed certificate is generated with expiration date set to 2016-01-10 (since gencert.sh generates certs valid for 365 days) and signed by PortaOne CA. Certificate and key are written into files /porta_var/certs/mega-itsp.com.crt and /porta_var/certs/mega-itsp.com.key respectively.

Use case #3: Successful re-generation of SSL key/certificate due to forthcoming expiration date 

Roles: Administrator, configurator, configurator agent

Preconditions: 

• initial setup (Use Case #1) was performed or default values are used otherwise;
• initial generation of self-signed SSL certificate was performed (Use Case #2). 

Use scenario #3.1: Successful re-generation of SSL key/certificate due to forthcoming expiration date

Scenario:

Configurator agent launches a periodic internal task on 2016-01-04.
Internal periodic task inspects /porta_var/certs directory and finds a mega-itsp.com.crt certificate file. It checks the issuer and find out that it is PortaOne CA. Then it checks the exp. date and finds out that 2016-01-04 – 2015-01-10 is less then 7 days (Regenerate self-signed certificate parameter) and hence regenerates new certificate and key. Validity period, key length are taken from the current configuration. After successful new certificate and key generation internal periodic task reloads apache service.

Other requirements / constraints