You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org
PKI/Policy: Difference between revisions
imported>Majavah (fix headings) |
imported>Muehlenhoff (→ROOT CA: typo) |
||
| Line 1: | Line 1: | ||
== ROOT CA == | == ROOT CA == | ||
The [[PKI/root ca|root CA]] is managed on a | The [[PKI/root ca|root CA]] is managed on a dedicated server. New intermediated certificates need to be created on this server and copied into puppet manually as described on the [[PKI/root ca|root CA]] page | ||
=== Certificate Parameters === | === Certificate Parameters === | ||
Revision as of 11:18, 9 March 2021
ROOT CA
The root CA is managed on a dedicated server. New intermediated certificates need to be created on this server and copied into puppet manually as described on the root CA page
Certificate Parameters
The root Ca is configured with the following parameters
- Algorithm: ecdsa-with-SHA512
- Size: 521
- Key Usage: Certificate Sign, CRL Sign
- pathlen: N/A
- Expiry: 10 years
Intermediate CA
The intermediate CA's are managed via puppet with the private key distributed via the puppet private repo. Hosts with a puppet agent certificate are able to requests certificates via the cfssl api at https://pki.descover.wmnet:8888 or by using the puppet profile profile::pki::client
When to create a new intermediate CA
We should create a new intermediate CA for every unique services that requires TLS terminations this means for example that we would have separate intermediate CA’s for e.g. debmonitor, database connections, backups etc. Engineers should use the default profiles and options unless there is a reason not to. e.g. the expiry time is to short as we can easily restart services
certificate parameters (defaults)
- Algorithm:ecdsa-with-SHA512
- Size: 521
- Key Usage: Certificate Sign, CRL Sign
- pathlen: 1
- Expiry: 5 Years
Default signing policies
By default intermidiate CA's are use the following defaults for all signing requests.
The defaults can also be overridden by specifying a profile to use. by default we configure additional ocsp and server profiles
- Expiry: 96h
- Key Usage: digital signature, key encipherment, server auth
- OCSP URL: "http://pki.descover.wmnet/ocsp/$CA_CN",
- CRL URL: "http://pki.descover.wmnet/crl/$CA_CN",
Overtime we hope to reduce the expiry down to 24 hours however we would like to get more operational experience first
OCSP profile
This policy is only used for creating the ocsp signing certificate for the specific intermediate CA
- Key Usage: digital signature, ocsp signing
- Expiry: 43800h
Server profile
This policy is only used for creating the ocsp signing certificate for the specific intermediate CA
- Key Usage: digital signature, key encipherment, server auth
- Expiry: 96h
OCSP Responder
Currently the OCSP responder runs on the same host as intermediate signing server. We currently maintain a patch so that the ocsp refresh services is able to work with the same databased used but cfssl-multirootca
CA Bundles
Ca bundles are maintained and available via http://pki.descover.wmnet/bundles/$ca.pem. Please not the short comings we currently have around bundles and intermediated certificates documented on the Root ca page