After the main support for TLS was added on the db hosts (as pert of T134809).
This is more of a "decisions" ticket, specific actions decided should have its own subticket:
- Pending, non-critical, to be decomm'ed hosts: T111654#3010354
- Enforce TLS by all clients
- Once it is enforced, which is the preferred cipher? size?
- Renewal policy
- Enforce TLS by MySQL as a client (replication user) and make sure it is verified
- Do we have a plan in case of disaster?
- Plans in case of a) 1 server/client private's key compromised b) CA gets fully compromised
- Check validity/expiration of certificates on icinga
- Add other names other than the public dns to the certs (s1-master, s1-replica, ip address, etc.)