Add option to pomerium-cli to use certificates from OS Native certificate stores

Question

Add option to pomerium-cli to use certificates from OS Native certificate stores

arulthileeban opened this issue a year ago · comments

Is your feature request related to a problem? Please describe.

If mTLS is enabled in pomerium, pomerium would require a client certificate which should be passed from the pomerium-cli. Currently, pomerium-cli only has the ability to pick up certificates from the filesystem based on arguments passed to the cli. Most enterprises manage client/device certificates with the OS’ native certificate store, which is a more secure way to deploy certificates than to the filesystem. This makes it a blocker to use pomerium-cli with mTLS in enterprise environments that use managed solutions for certificate deployment to devices.

Describe the solution you'd like

Pomerium-cli should accept an argument that would allow for picking certificates from the OS’ native certstore (Windows Certificate Store, Mac Keychain) based on certificate identifiers such as CN or OU.

bobby · Answer 1 · Wed Jul 26 2023 00:59:44 GMT+0800 (China Standard Time)

This makes sense, with a few caveats.

We will use system store on windows / mac ; linux/unix based systems this is trickier so we won't be able to support it.
The CLI will need to add options for matching on CN / OU.
This will need to be updated on the desktop app side.

bobby · Answer 2 · Tue Sep 19 2023 05:08:46 GMT+0800 (China Standard Time)

Implemented with #337