eigenstate.ipa Documentation

eigenstate.ipa

IdM-native Ansible collection for inventory, vault, Kerberos, certificates, OTP, policy, AAP workflows, and temporary access boundaries.

Explanation

Understand CSR, CA, certificate, and private-key responsibilities.

Boundary
Read-only
Authority
idm, collection
Evidence
architecture-boundary

Certificate boundary

What Claim Is Being Made?

The collection can request and retrieve certificates, but private key creation and protection stay outside the certificate request surface.

What Problem Does It Address?

Certificate automation often hides where CSRs came from and whether private keys were protected. The boundary must keep public certificate material separate from private key material.

Which System Owns Which Responsibility?

System Responsibility
IdM CA Issues certificates from CSRs under CA/profile policy.
cert lookup Requests, retrieves, or searches certificate records.
cert_request module Submits CSR content or a CSR file and returns certificate metadata/content.
Operator/site workflow Generates and stores private keys securely before CSR submission.

What Evidence Proves The Boundary?

  • CSR path or CSR content reference.
  • Certificate metadata from the module or lookup.
  • Written certificate destination and mode when configured.

What Does This Not Claim?

  • The module does not generate private keys.
  • A certificate is not proof that the private key is protected.
  • Certificate issuance is not cluster runtime enforcement.

What Risks Remain?

  • Bad CSR inputs can request the wrong identity.
  • Private keys can leak outside this module.
  • CA profile and sub-CA policy must be reviewed separately.