HTTPS/WMF CA

From Wikitech
< HTTPS(Redirected from WMF CA)
Jump to navigation Jump to search

Introduction

WMF has found occasionally the need to host it's own internal CA for some purposes. That is what WMF CA is. There are 2 WMF CAs at this point:

  • wmf_ca
  • wmf_ca_2014_2017

wmf_ca

This has finally been completely phased out and any rerefences to it are historical. Any certificates by it have been reissued by the the second one and it has been removed from the puppet repo and any keystores. It should no longer be possible to use it, issue/revoke certs etc.

wmf_ca_2014_2017

This is the current WMF CA. It is set to expire in 2017 as you can tell by the name. Should we still need it by then we should very easily issue a new one and reissue the certificates.

Howto

puppet private repo holds all the information you might need to manipulate the wmf_ca_2014_2017. There is a README there that should cover the basics.

Notes

If you want to re-issue a cert, don't forget to revoke the old one first or you will get a:

   failed to update database
   TXT_DB error number 2