As part of the aggregate logging solution for OpenShift, we use SearchGuard to provide access control and secure communication for the ES cluster. We are trying to make it easier to
deploy the logging stack using a cert generation service provided by OpenShift, but the requirement of needing an OID is making it challenging. We are interested to know:
- Are their less documented alternatives?
- Are you open do a discussion about potential alternatives?
We know we’ll be asked whether this meets various regulatory use of certificates (specifically that registered ID is not actually registered, and users can’t get it), so we were wondering whether you would accept
a patch that reads information (e.g. otherName, URI, some other cert attribute) from the remote certificate as an alternate to registeredID.
We would be willing to help out in alternative solutions.
One solution that would allow us to use a custom implementation: https://github.com/floragunncom/search-guard/pull/269
···
On Thursday, January 5, 2017 at 4:59:46 PM UTC-5, jcan...@redhat.com wrote:
As part of the aggregate logging solution for OpenShift, we use SearchGuard to provide access control and secure communication for the ES cluster. We are trying to make it easier to
deploy the logging stack using a cert generation service provided by OpenShift, but the requirement of needing an OID is making it challenging. We are interested to know:
- Are their less documented alternatives?
- Are you open do a discussion about potential alternatives?
We know we’ll be asked whether this meets various regulatory use of certificates (specifically that registered ID is not actually registered, and users can’t get it), so we were wondering whether you would accept
a patch that reads information (e.g. otherName, URI, some other cert attribute) from the remote certificate as an alternate to registeredID.
We would be willing to help out in alternative solutions.
We are very interested in a discussion how to offer alternative models other than “oid”.
You are not the first having troubles with this one 
Thanks a lot for your PR, we will look into this.
···
On Thursday, 5 January 2017 22:59:46 UTC+1, jca…l@r…at.com wrote:
As part of the aggregate logging solution for OpenShift, we use SearchGuard to provide access control and secure communication for the ES cluster. We are trying to make it easier to
deploy the logging stack using a cert generation service provided by OpenShift, but the requirement of needing an OID is making it challenging. We are interested to know:
- Are their less documented alternatives?
- Are you open do a discussion about potential alternatives?
We know we’ll be asked whether this meets various regulatory use of certificates (specifically that registered ID is not actually registered, and users can’t get it), so we were wondering whether you would accept
a patch that reads information (e.g. otherName, URI, some other cert attribute) from the remote certificate as an alternate to registeredID.
We would be willing to help out in alternative solutions.