Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to pomerium-cli to use certificates from OS Native certificate stores #308

Closed
arulthileeban opened this issue Jul 19, 2023 · 2 comments
Closed

Add option to pomerium-cli to use certificates from OS Native certificate stores #308

arulthileeban opened this issue Jul 19, 2023 · 2 comments
Assignees
@kenjenkins
Labels
accepted

Comments

@arulthileeban
Copy link

Is your feature request related to a problem? Please describe.

If mTLS is enabled in pomerium, pomerium would require a client certificate which should be passed from the pomerium-cli. Currently, pomerium-cli only has the ability to pick up certificates from the filesystem based on arguments passed to the cli. Most enterprises manage client/device certificates with the OS’ native certificate store, which is a more secure way to deploy certificates than to the filesystem. This makes it a blocker to use pomerium-cli with mTLS in enterprise environments that use managed solutions for certificate deployment to devices.

Describe the solution you'd like

Pomerium-cli should accept an argument that would allow for picking certificates from the OS’ native certstore (Windows Certificate Store, Mac Keychain) based on certificate identifiers such as CN or OU.
@desimone desimone added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jul 20, 2023
@desimone desimone self-assigned this Jul 20, 2023
@desimone
Copy link
Contributor

This makes sense, with a few caveats.

  • We will use system store on windows / mac ; linux/unix based systems this is trickier so we won't be able to support it.
  • The CLI will need to add options for matching on CN / OU.
  • This will need to be updated on the desktop app side.

@desimone desimone added accepted and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Jul 25, 2023
@desimone desimone removed their assignment Jul 25, 2023
@calebdoxsey calebdoxsey self-assigned this Aug 4, 2023
@calebdoxsey calebdoxsey removed their assignment Aug 24, 2023
@kenjenkins kenjenkins mentioned this issue Aug 26, 2023
Merged
6 tasks
This was referenced Sep 6, 2023
Closed
Merged
Merged
Merged
@desimone
Copy link
Contributor

Implemented with #337

@ZPain8464 ZPain8464 mentioned this issue Sep 18, 2023
Closed
@kenjenkins kenjenkins mentioned this issue Dec 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kenjenkins kenjenkins

Labels
accepted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@calebdoxsey @desimone @arulthileeban @kenjenkins