Secrets Manager: Certificate Management (PKI) (#20380) · Epics · GitLab.org

Secrets Manager: Certificate Management (PKI)

## Description ### Summary Provide a complete Public Key Infrastructure (PKI) solution for creating, managing, and rotating X.509 certificates. Enable organizations to issue certificates for TLS, mTLS, code signing, and service authentication without external CA dependency. ### Problem Statement GitLab Secrets Manager currently has: - No PKI/certificate management capabilities - No CA (Certificate Authority) support - No certificate issuance or lifecycle management - Organizations must use external PKI solutions ### Proposal Implement a full PKI system with CA hierarchy: ```mermaid graph TD Root["🔐 Root CA (Offline, HSM-protected) 20 years"] Root --> IntProd["Intermediate CA (Production) 5 years"] Root --> IntStaging["Intermediate CA (Staging) 5 years"] IntProd --> EndProd["📜 End-entity Certs 90 days"] IntStaging --> EndStaging["📜 End-entity Certs 90 days"] ``` ### Key Deliverables 1. **Certificate Authority Management** - Root CA creation (HSM-backed) - Intermediate CA creation - CA lifecycle management - Key ceremony support 2. **Certificate Issuance** - CSR signing - Certificate generation with key - Role-based templates - Automated renewal 3. **Revocation Services** - Certificate revocation - CRL generation and publishing - OCSP responder 4. **Integration** - CI/CD certificate issuance - Kubernetes cert-manager integration - mTLS support ### User Stories | ID | Story | Points | |----|-------|--------| | US-4.1 | Create Root CA | 8 | | US-4.2 | Create Intermediate CA | 8 | | US-4.3 | Define certificate role | 5 | | US-4.4 | Issue certificate from CSR | 5 | | US-4.5 | Generate certificate with key | 5 | | US-4.6 | Automatic certificate renewal | 8 | | US-4.7 | Revoke certificate | 5 | | US-4.8 | CRL generation | 8 | | US-4.9 | OCSP responder | 13 | | US-4.10 | CI/CD certificate issuance | 8 | | US-4.11 | cert-manager integration | 8 | | US-4.12 | Certificate audit log | 5 | | US-4.13 | CA key rotation | 11 | **Total Story Points:** ~97 ### Technical Requirements - OpenBao PKI secrets engine - New models: `CertificateAuthority`, `CertificateRole`, `IssuedCertificate` - HSM integration for CA keys (optional) - OCSP endpoint infrastructure ### Non-Functional Requirements | Category | Requirement | |----------|-------------| | Performance | Certificate issuance < 2s, OCSP response < 100ms | | Scalability | 100K certificates, 1K issuances/minute | | Security | HSM for root CA, audit all operations | | Compliance | X.509 standards, WebPKI compatibility | ### Effort Estimate - **Duration:** 5-7 months - **Team:** 4-5 engineers (4 BE, 1 Security)

epic