TLS

Digital Signal PSI is running its own internal Certificate Authority (CA) using https://smallstep.com. This allows us to generate internal TLS certificates for services without having to resort to self-signed certificates.

Interacting with the CA is done using the step CLI. Installation instructions can be found here.

After installation, use the following command to point the CLI to our CA instance:

step ca bootstrap \
--ca-url https://172.16.0.112:8443 \
--fingerprint bd2583d014f0dbaeb49fe79d95f4507873371da36071d2aa3a2d7ac7cda4ff1e

How to

Trust the root CA certificate on your system

Install the root CA certificate in your system trust-store. This can be done using the step CLI with the following command:

step certificate install $(step path)/certs/root_ca.crt

Note

WSL users: you need to trust the root certificate both in Windows and in your WSL instance.

To install the certificate in Windows, just navigate to the directory containing the root_ca.crt file using Explorer and open it.

Manually generate a signed certificate

Use:

step ca certificate <subject> <output-crt-file> <output-key-file>

Refer to the command-line reference for more information.

Make sure to select the JWK provisioner when prompted. The provisioner password can be found in provisioning/host_vars/ds-psi-management/secrets.sops.yml.