dataoneorg / ca Goto Github PK

Writing up from a slack convo with @datadavev and @mbjones

As part of Metacat's move to k8s we want to "cross-sign" our DataONE intermediate CA cert, because the current version is signed with a sha1 ca root, which is not supported by modern servers when verifying client certs.

For context, see:

• GH issue 100: The sign algorithm of DataONE production CA certificate is too weak

It seems like the following should result in a usable system:

1. Create a new CA Root cert, self signed using sha265
2. Create a new Intermediate cert:
   • containing the same Subject DN as the current intermediate
   • containing the same Public Key as the current intermediate, and
   • signed using the new sha265 CA Root

I already have a client cert kindly issued by @datadavev from the sha1 DataONE Test Intermediate CA (signed by the sha1 DataONE Test Root CA), so a good experiment might be to create a new sha256 test root cert and use it to sign a new sha256 intermediate with the constraints listed above. I could then try this out on a metacat k8s install, and test with my existing client cert.

Open to feedback and discussions, if any of this seems off-base. It's all new to me :-)