As part of the aggregate logging solution for OpenShift, we use SearchGuard to provide access control and secure communication for the ES cluster. We are trying to make it easier to
deploy the logging stack using a cert generation service provided by OpenShift, but the requirement of needing an OID is making it challenging. We are interested to know:
- Are their less documented alternatives?
- Are you open do a discussion about potential alternatives?
We know we’ll be asked whether this meets various regulatory use of certificates (specifically that registered ID is not actually registered, and users can’t get it), so we were wondering whether you would accept
a patch that reads information (e.g. otherName, URI, some other cert attribute) from the remote certificate as an alternate to registeredID.
We would be willing to help out in alternative solutions.