commit 2b3119d0e207046d5f92cdfd88e5bab0f2ffd843
parent 6cf3b3c0dcdf27840fe1994632e1ee8d021d1468
Author: Joris Vink <joris@coders.se>
Date: Wed, 11 Jul 2018 11:53:56 +0200
add overview of how the keymgr works
Diffstat:
src/keymgr.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+), 0 deletions(-)
diff --git a/src/keymgr.c b/src/keymgr.c
@@ -14,6 +14,23 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+/*
+ * The kore keymgr process is responsible for managing certificates
+ * and their matching private keys.
+ *
+ * It is the only process in Kore that holds the private keys (the workers
+ * do not have a copy of them in memory).
+ *
+ * When a worker requires the private key for signing it will send a message
+ * to the keymgr with the to-be-signed data (KORE_MSG_KEYMGR_REQ). The keymgr
+ * will perform the signing and respond with a KORE_MSG_KEYMGR_RESP message.
+ *
+ * The keymgr can transparently reload the private keys and certificates
+ * for a configured domain when it receives a SIGUSR1. It it reloads them
+ * it will send the newly loaded certificate chains to the worker processes
+ * which will update their TLS contexts accordingly.
+ */
+
#include <sys/types.h>
#include <sys/stat.h>