-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: rotate root CA #433
base: main
Are you sure you want to change the base?
WIP: rotate root CA #433
Commits on Oct 6, 2024
-
Cleanup: move private functions to the bottom on x509/golang.go
This is a trivial change which makes the code layout more clear. Further commits will make gradual changes to this module. Hence, keeping the public interface on the top helps a lot. Signed-off-by: Volodymyr Khoroz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ac73fed - Browse repository at this point
Copy the full SHA ac73fedView commit details -
Cleanup: spin up ca_utils.go and extract parseCerts into it
This starts making common CA routines more navigable. There will me more functions added to it during the course of this PR Signed-off-by: Volodymyr Khoroz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3dd38cc - Browse repository at this point
Copy the full SHA 3dd38ccView commit details -
Cleanup: add a function to define standard HSM flags
In 80% of use cases they are exactly the same for all PKI related commands. Signed-off-by: Volodymyr Khoroz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 43f1a9d - Browse repository at this point
Copy the full SHA 43f1a9dView commit details -
Cleanup: move HSM args validation into a better place
The x509 common package should not know anything about the argument parsing or validation. That is a sole responsibility of the subcommands. Signed-off-by: Volodymyr Khoroz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 154ffb7 - Browse repository at this point
Copy the full SHA 154ffb7View commit details -
Feature: a facade factory root renewal command
A command help and examples will be extended as new sub-commands are being added. Signed-off-by: Volodymyr Khoroz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1356e68 - Browse repository at this point
Copy the full SHA 1356e68View commit details -
Feature: show currently active factory root CA
This is the Root CA that is used to sign Device CAs and TLS certificates. Several factory root CAs can be valid at the same time, but only one of them can be active. Signed-off-by: Volodymyr Khoroz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b70fb03 - Browse repository at this point
Copy the full SHA b70fb03View commit details -
Feature: a command to start root CA renewal process (w/o HSM)
This adds the first workflow command of the root CA renewal, which generates the EST compliant CA renewal bundle and uploads it to the server. This is a bare minimum implementation, further extended with auxiliary features in later commits. For example, an HSM support is added in the next commit. That approach allows to decrease the level of complexity while traversing commits. Signed-off-by: Volodymyr Khoroz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 4043eb2 - Browse repository at this point
Copy the full SHA 4043eb2View commit details -
Feature: support HSM for the PKI root CA renewal
Signed-off-by: Volodymyr Khoroz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ce002f2 - Browse repository at this point
Copy the full SHA ce002f2View commit details -
Feature: write the root CA renewal bundle to file
This is useful from 2 perspectives: 1. A user may want to view the certificates (e.g. using openssl storeutl). 2. A user may need to (re-)upload this file to the API (e.g. while experimenting or fixing a broken PKI). Signed-off-by: Volodymyr Khoroz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 0100578 - Browse repository at this point
Copy the full SHA 0100578View commit details -
Feature: commands to trigger root CA renewal on devices
This closely resembles the `rotate-cert` commands layout by adding two new commands: - A `devices config renew-root` for device level config. - A `config renew-root` for group and factory level configs. The key difference is the support for factory-wide config change. That is needed to facilitate the root CA renewal for group-less devices and devices (auto-)registered in the future. The created config needs a correlation ID which is fetched from the server. The server generates a new correlation ID upon any changes to the root CA bundle; entire change log is stored for audit. This is needed so that config updates triggered for the same root CA renewal (but different devices) are counted as one. That allows to accurately calculate a number of already updated devices, before proceeding to the next root CA renewal step. I am not sure if the proposed layout is the best one from the user convenience perspective. The other option was to add single command like `keys ca renewal deploy [-g | -d]`. That has its pros and cons, so I am open to start a discussion on it. Signed-off-by: Volodymyr Khoroz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b2ce7fe - Browse repository at this point
Copy the full SHA b2ce7feView commit details -
Feature: a command to activate a specific root CA
This command can be used two-way to switch between old and new root CA. It is made a standalone command to give the user a better grasp of what is going on. Signed-off-by: Volodymyr Khoroz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for cbd3f21 - Browse repository at this point
Copy the full SHA cbd3f21View commit details -
Feature: a command to re-sign device CAs
Signed-off-by: Volodymyr Khoroz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8dd4ef8 - Browse repository at this point
Copy the full SHA 8dd4ef8View commit details -
Feature: copy private key files for Device CAs during Root CA renewal
There are several sub-use cases here: - A user may lose all or a part of Device CA private keys. - A user may keep these private key files in different folders. - A user may wish to not copy them into a new PKI folder. All of the above use cases are supported by this extension. Signed-off-by: Volodymyr Khoroz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e51fd5a - Browse repository at this point
Copy the full SHA e51fd5aView commit details -
Feature: a command to re-sign TLS certificates
Signed-off-by: Volodymyr Khoroz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 7fec7d2 - Browse repository at this point
Copy the full SHA 7fec7d2View commit details -
Feature: an ability to revoke an old Root CA
Signed-off-by: Volodymyr Khoroz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 039da9f - Browse repository at this point
Copy the full SHA 039da9fView commit details