[jira] [Updated] (GEODE-10561) TLS Migration : Mitigations for Public‑CA Client‑Auth EKU Removal

[Jinwoo Hwang (Jira)]

     [ 
https://issues.apache.org/jira/browse/GEODE-10561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jinwoo Hwang updated GEODE-10561:
---------------------------------
    Fix Version/s: 2.0.1
                   1.15.3

> TLS Migration : Mitigations for Public‑CA Client‑Auth EKU Removal
> -----------------------------------------------------------------
>
>                 Key: GEODE-10561
>                 URL: https://issues.apache.org/jira/browse/GEODE-10561
>             Project: Geode
>          Issue Type: Improvement
>            Reporter: Jinwoo Hwang
>            Assignee: Jinwoo Hwang
>            Priority: Major
>             Fix For: 2.0.1, 1.15.3
>
>
> h2. Summary
> Create official Apache Geode documentation that explains three supported TLS 
> deployment models and migration guidance in response to the upcoming public 
> CA removal of the Client Authentication EKU. The documentation will be an 
> authoritative operator guide covering configuration, rotation, verification, 
> and recommended automation patterns.
> Note: This guidance applies only to environments using newly issued public-CA 
> mTLS certificates where the public CA's issuance does not include client CA 
> certificates in the chain. If your deployment already uses an 
> enterprise/internal CA or a public-CA chain that includes client CA 
> certificates, no action is required; those deployments are not affected by 
> this guidance and should continue to follow the internal-CA or hybrid 
> guidance where appropriate.
> h2. Background
> Public Certificate Authorities are removing or changing issuance behavior for 
> client-auth EKUs on publicly-issued leaf certificates. This impacts users who 
> relied on public-CA-signed client certificates for mutual TLS (mTLS) with 
> Apache Geode. We must produce an official doc describing viable options and 
> migration steps.
> h2. Objective
> Produce a concise, reviewable doc set and a single canonical HOWTO that 
> covers:
>  - Option A: Internal / enterprise CA for mTLS
>  - Option B: Server-only TLS + application-layer client authentication (no 
> client certs)
>  - Option C: Hybrid — public-CA server certs + private-CA client certs
> h2. Tasks
>  * Create top-level doc `docs/TLS_MIGRATION_GUIDE.md` that aggregates content.
>  * Finalize and land docs in `main` and backport to supported release 
> branches.
> h2. Priority & Due Date
> Priority: High — public CA policy changes have a concrete timeline. Suggest 
> target: 3 weeks.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)