NSP TLS overview
Introduction
NSP communication is secured using Transport Layer Security, or TLS. The TLS-secured elements of an NSP deployment include the following:
-
Kubernetes infrastructure—Kubernetes registry, interfaces between NSP deployer host and NSP cluster VMs
-
external NSP cluster endpoints for communication with:
Note: An NSP system upgrade preserves the TLS artifacts.
NSP TLS certificates
The NSP TLS certificates include the following:
Note: You specify the issuer and server TLS artifacts during NSP cluster deployment. The Kubernetes certificates are automatically generated, and require no configuration.
-
Kubernetes infrastructure certificates, applied to:
-
NSP issuer certificates, applied to:
-
NSP server certificates, applied to:
NSP issuer certificates
NSP issuer certificates are CA signing certificates that provide session-level security for the internal and external-facing NSP application endpoints.
NSP server certificates
NSP server certificates secure the ingress gateway for external client and mediation access. Using a custom server certificate has special requirements, as described in Using custom TLS certificates.
Kubernetes secrets
The TLS artifacts of an NSP cluster are stored in Kubernetes secrets to prevent the exposure of sensitive security information. The ‘nspdeployerctl secret’ command on an NSP deployer host facilitates secret creation, update, and replacement, and includes other functions such as secret backup and restore. You can also use the command to display the secret content.
The NSP system deployment procedures include steps for creating the required secrets, and “What is NSP TLS administration?” in the NSP System Administrator Guide describes post-deployment TLS certificate and Kubernetes secret management.
See NSP TLS configuration requirements and NSP TLS configuration procedures for information about creating the required TLS artifacts for an NSP deployment.
NSP PKI-server service
An NSP cluster hosts a PKI-server service that uses the CA certificates from the internal and external issuer secrets to sign certificates. The service uses an access control list based on the NSP cluster configuration; consequently, the service responds only to certificate requests from known addresses in the nsp-config.yml file of the local cluster.