How can an application's cert be issued when we deploy an app from the console?

  • You add certificate configuration while adding an application through UI.

  • These parameters defined for an app are used while creating a build and we embed code to generate a CSR to the converted image.

  • Now when we run an application, then it calls the 'Create Certificate' API with CSR as a parameter to the agent running on that node.

  • The agent sends the request to the Fortanix Confidential Computing Manager (CCM) backend by adding node-id to the parameter.

  • The Fortanix CCM backend verifies if the domains for that app are whitelisted, build is whitelisted and application is running in an enclave with a valid attestation, then it creates a certificate for that app running on that node and sends it as a response.

  • Whenever a domain is added or updated, a domain whitelisting task is created. Similarly, when a build is created a build whitelisting task is created. These tasks for an app need to be approved before running an application.

  • For more details please refer to the Fortanix Confidential Computing Manager User Guide.