feat(samples): add local generation for crypto keys #98
Conversation
product-auto-label
bot
added
the
api: security-privateca
google-cla
bot
added
the
cla: yes
product-auto-label
bot
added
the
samples
| # To sign and issue a certificate, a public key is essential. Here, we are making use | ||
| # of Cloud KMS to retrieve an already created public key. For more info, see: https://cloud.google.com/kms/docs/retrieve-public-key. | ||
| # Generating keys locally is also possible. | ||
| # The public key used to sign the certificate can be generated using any crypto library/framework. |
There was a problem hiding this comment.
Is it reasonable to expect that customers looking at this customer will already have a public key and/or know of a good way to generate one?
If not, or if there are best practices you'd like to show it may be worth pulling the key generation code up into the sample.
Showing that it's possible to use Cloud KMS to create a key also seems valuable to me - maybe you could keep the KMS sample link in the comments?
There was a problem hiding this comment.
I returned comment about Cloud KMS way.
The reasons why we prefer to generate keys locally:
Keys stored in Cloud KMS are not directly exportable, so the only way a customer can use them is by calling the AsymmetricSign/Verify and Encrypt/Decrypt APIs on those keys
however, this suffers from two problems:
- most applications that need to use the certificate/key don't support accessing the key like this, but instead require direct access to the key on the filesystem.
- even if they did support that, this would likely introduce too much latency and limit the throughput, so there aren't many scenarios where this would be useful
Leaf certificate keys are almost always generated directly on the machine that will be using them, and never sent anywhere else.
馃 I have created a release \*beep\* \*boop\* --- ### [1.0.4](https://www.github.com/googleapis/python-security-private-ca/compare/v1.0.3...v1.0.4) (2021-08-10) ### Documentation * **samples:** add local generation for crypto keys ([#98](https://www.github.com/googleapis/python-security-private-ca/issues/98)) ([0668ffd](https://www.github.com/googleapis/python-security-private-ca/commit/0668ffde892bec99a4cd574bbc257fcc2de6c1c7)) ### Miscellaneous Chores * release as 1.0.4 ([#100](https://www.github.com/googleapis/python-security-private-ca/issues/100)) ([47fb407](https://www.github.com/googleapis/python-security-private-ca/commit/47fb4075db02e5c3eaf4f25f3d032a6c2514afce)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:
Fixes #<issue_number_goes_here> 馃