You are browsing a read-only backup copy of Wikitech. The live site can be found at

PKI/CA Operations

From Wikitech-static
Revision as of 13:03, 5 May 2021 by imported>Jbond
Jump to navigation Jump to search

The root CA is an offline signing CA. The root key is only stored on the root ca server and in (TODO: some offline location). When creating new intermediate certificates one will need to manully generate the on the root ca server and then copy the certificate content into puppet.

Intermediate Certificates

Creating an intermediate certificate is mostly a manual process however we do make use of puppet to ensure the certificate is created with the correct parameters

Current intermediates

  • debmonitor: Used for connections between debmonitor clients and the internal debmonitor client auth projected daemon
  • discovery: Used for connections between ATS and back-end origin servers

Adding a new intermediate

To add a new certificate we first neeed to add an entry to the profile::pki::root_ca::intermediates: array in hiera for the root CA server.

 - WMF_test_intermediate_ca

Once you have done this you will need to run puppet and the puppet ca server to create the public and private key pair. They should be created in /etc/cfssl/ssl/$intermediate_name and you should also see the puppet output.

$ sudo puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for
Info: Applying configuration version '(e739fdec88) Jbond - P:pki::root_ca: use correct title for intermediate certs'
Notice: The LDAP client stack for this host is: sssd/sudo
Notice: /Stage[main]/Profile::Ldap::Client::Labs/Notify[LDAP client stack]/message: defined 'message' as 'The LDAP client stack for this host is: sssd/sudo'
Notice: /Stage[main]/Profile::Pki::Root_ca/Cfssl::Cert[WMF_test_intermediate_ca]/File[/etc/cfssl/ssl/WMF_test_intermediate_ca]/ensure: created (corrective)
Notice: /Stage[main]/Profile::Pki::Root_ca/Cfssl::Cert[WMF_test_intermediate_ca]/Exec[Generate cert WMF_test_intermediate_ca]/returns: executed successfully (corrective)
Notice: /Stage[main]/Profile::Pki::Root_ca/Cfssl::Cert[WMF_test_intermediate_ca]/File[/etc/cfssl/ssl/WMF_test_intermediate_ca/WMF_test_intermediate_ca.pem]/mode: mode changed '0644' to '0440' (corrective)
Notice: /Stage[main]/Profile::Pki::Root_ca/Cfssl::Cert[WMF_test_intermediate_ca]/File[/etc/cfssl/ssl/WMF_test_intermediate_ca/WMF_test_intermediate_ca-key.pem]/mode: mode changed '0600' to '0440' (corrective)
Notice: /Stage[main]/Profile::Pki::Root_ca/Cfssl::Cert[WMF_test_intermediate_ca]/File[/etc/cfssl/ssl/WMF_test_intermediate_ca/WMF_test_intermediate_ca.csr]/mode: mode changed '0644' to '0440' (corrective)
Notice: Applied catalog in 4.94 seconds

Once you have generated the new certificate you will need to copy the certificate file to the public puppet repo (modules/profile/files/pki/intermediates/$CN.pem) and the private key to the secret store (currently puppet private repo modules/secret/secrets/pki/intermediates/$CN.pem). You will also need to add an entry under the profile::pki::multirooca::intermediates: key. Note the location of the certificate and key must go in the specified paths for puppet to find them e.g.

    ocsp_port: 10001
    # The following parameters are optional and override the defaults
        key: $custom_key
        type: standard
        expiry: 8760h
          - 'digital signature'
          - 'key encipherment'
          - 'server auth'
          - 'client auth'

Adding to defaulkt trust store

You may want to add the new intermidiates to ca-certificates so it is automaticly trused to do this add it the new ca to profile::base::certificates::wmf_intermidiates in hieradata/common/profile/base/certificates.yaml

Renewing a new intermediate

The root pki root server will automaticity renew intermediated certificates it manages and resign the public key on disk on the root CA server however it will be required to upload the certificate to the puppet repo e.g. profile/pki/intermediates/$CA.pem. Further at the time of writing certificate bundles are only ever fetched once by puppet. As such you will need to run a cumin command to delete the current intermediate certificates and have puppet re-download the new one.

$ cumin 'R:cfssl::cert%label = $CA' 'rm /etc/cfssl/$CA_chain.pem'

This is not ideal and is an area we shuold improve. some possible solutions

  • use puppet to fetch the resource via http directly. This would rely on the `last-modified` header so would automaticity update the bundles but would also cause a lot of unnecessary head requests to check this value on every puppet run
  • make the re-querement to store the public intermidate cert in profile/pki/intermediates/ a MUST. This would allow other modules to pull the intermediate directly from puppet but ties the puppet code to WMF specifics
  • Look to add bundle support to the genkey and sign commands Upstream doesn't seem to have moved on this so it may mean maintaining a patch
  • reimplement the genkey and sign commands using the api directly, which does support the bundle option. Requires maintaining our own puppet provider/type

Revoking certificates

If you are required to revoke a certificate you can use the cfssl-certs revoke command which expects the public certificate file as input

$ cfssl-certs -vvvv revoke -R cessationOfOperation /etc/cfssl/signers/debmonitor_discovery_wmnet/ca/debmonitor_discovery_wmnet.pem
DEBUG:root:running: /usr/bin/cfssl revoke -db-config /etc/cfssl/db.conf -serial 436540461805550888668031556404920484612797891140 -aki 3bada271e634bd1bfc80bf35718391d0ef691336 -reason cessationOfOperation


OCSP responses are generated on the multicaroot server however the OCSP signing certificate is created on the Root CA server in a similar way to the the intermediates i.e. it is generated using the cfssl::cert resource and files are maintained on the root ca server. however you will need to copy the certificate to the puppet repo (modules/profile/files/pki/ROOT/$CN.pem) and secret store (pki/ROOT/$CN.pem). This is only an issue when boot strapping or if you need to extend the life of the ocsp certificate

Boot strapping

When installing a new root CA or in the unfortunate event of having to revoke and replace the current root CA one must follow a number of boot strapping steps to create the initial root ca key. for this we will first need to create a csr.json file like the following (the one below is used in the cloud pki project). Please save this file into /etc/cfssl/csr/$CN.json

    "CN": "WMF_TEST_CA",
    "CA": {
        "expiry": "87600h"
    "key": {
        "algo": "ecdsa",
        "size": 521
    "names": [
            "C":  "US",
            "L":  "San Francisco",
            "O":  "Wikimedia Foundation, Inc",
            "OU": "Cloud Services",
            "ST": "California"

With this we can create the initial root ca certificate and private key. One should ultimately store these files in /etc/cfssl/signers/$CN/ca/

$ cd /etc/cfssl/signers/WMF_TEST_CA/ca
$ cfssl genkey -initca /etc/cfssl/csr/WMF_TEST_CA.json | cfssljson -bare ca
2021/03/03 13:51:50 [INFO] generate received request
2021/03/03 13:51:50 [INFO] received CSR
2021/03/03 13:51:50 [INFO] generating key: ecdsa-521
2021/03/03 13:51:50 [INFO] encoded CSR
2021/03/03 13:51:50 [INFO] signed certificate with serial number 518380654990553637914228602044849101209208053364
$ ls -l
total 12
-rw-r--r-- 1 root root  708 Mar  3 13:52 ca.csr
-rw------- 1 root root  365 Mar  3 13:52 ca-key.pem
-rw-r--r-- 1 root root 1066 Mar  3 13:52 ca.pem
$ openssl x509 -in ca.pem -noout -text
        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: ecdsa-with-SHA512
        Issuer: C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc", OU = Cloud Services, CN = WMF_TEST_CA
            Not Before: Mar  3 13:54:00 2021 GMT
            Not After : Mar  1 13:54:00 2031 GMT
        Subject: C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc", OU = Cloud Services, CN = WMF_TEST_CA
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (521 bit)
                ASN1 OID: secp521r1
                NIST CURVE: P-521
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
            X509v3 Subject Key Identifier: 
    Signature Algorithm: ecdsa-with-SHA512

Once you have the key you will need to upload the public part of the key to the puppet/operations repo recommended to place in modules/profile/files/pki/ROOT/$CN.pem