PKI/Policy

The root CA is managed on a dedicated server. New intermediated certificates need to be created on this server and copied into puppet manually as described on the root CA page

Certificate Parameters

The root Ca is configured with the following parameters

• Algorithm: ecdsa-with-SHA512
• Size: 521
• Key Usage: Certificate Sign, CRL Sign
• pathlen: N/A
• Expiry: 10 years

The intermediate CA's are managed via puppet with the private key distributed via the puppet private repo. Hosts with a puppet agent certificate are able to requests certificates via the cfssl api at https://pki.descover.wmnet:8888 or by using the puppet profile profile::pki::client

When to create a new intermediate CA

For systems or services which just need a certificate to expose an https end point internally such as services set up with DNS/Discovery records. Then the advice is to just use the discovery intermediate CA.

If you want to set up a service which requires mutual TLS via client auth then you should set up a new intermediate CA for that specific service. This means that a compromise to one mutual TLS client certificate doesn't give access to all client auth protected services. We currently have intermediates for:

• DebMonitor
• kafka
• cloud RabbitMQ
• etcd

certificate parameters (defaults)

• Algorithm:ecdsa-with-SHA512
• Size: 521
• Key Usage: Certificate Sign, CRL Sign
• pathlen: 1
• Expiry: 5 Years

Default signing policies

By default intermidiate CA's are use the following defaults for all signing requests.

The defaults can also be overridden by specifying a profile to use. by default we configure additional ocsp and server profiles

• Expiry: 4 weeks
• Key Usage: digital signature, key encipherment, server auth
• OCSP URL: "http://pki.descover.wmnet/ocsp/$CA_CN",
• CRL URL: "http://pki.descover.wmnet/crl/$CA_CN",

Overtime we hope to reduce the expiry down to 24 hours however we would like to get more operational experience first

OCSP profile

This policy is only used for creating the ocsp signing certificate for the specific intermediate CA

• Key Usage: digital signature, ocsp signing
• Expiry: 43800h

Server profile

This policy is only used for creating the ocsp signing certificate for the specific intermediate CA

• Key Usage: digital signature, key encipherment, server auth
• Expiry: 4 weeks

Currently the OCSP responder runs on the same host as intermediate signing server. We currently maintain a patch so that the ocsp refresh services is able to work with the same databased used but cfssl-multirootca

Ca bundles are maintained and available via http://pki.discover.wmnet/bundles/$ca.pem. Please note the shortcomings we currently have around bundles and intermediated certificates documented on the Root ca page