mysterious-area-77666
02/09/2021, 8:16 PMpkiSecret
?billowy-army-68599
mysterious-area-77666
02/09/2021, 8:19 PMclass OLVaultPKIIntermediateCABackend(ComponentResource):
"""
PKI Intermediate CA Backend is set to pki-intermediate-ca.
This should be used to create and configure the intermediate vault pki CA backend
which is used to sign certificates used by the intermediate PKI's in the different
environments.
Offline CA --- pki-intermediate-ca --- sign -----> pki-intermediate-mitx-qa
pki-intermediate-mitxpro-qa
pki-intermeidate-...
"""
def __init__(
self,
backend_config: OLVaultPKIIntermediateCABackendConfig,
opts: ResourceOptions = None,
):
super().__init__(
"ol:services:Vault:PKI:IntermediateCABackend",
"pki-intermediate-ca",
None,
opts,
)
resource_options = ResourceOptions(parent=self).merge(opts) # type: ignore
self.pki_intermediate_ca_backend = Mount(
"pki-intermediate-ca",
opts=resource_options,
path="pki-intermediate-ca",
type="pki",
description="Backend to create certs for pki-intermediate-env backends",
max_lease_ttl_seconds=backend_config.max_ttl,
default_lease_ttl_seconds=backend_config.default_ttl,
)
self.pki_intermediate_ca_set_signed = (
pkisecret.SecretBackendIntermediateSetSigned(
"pki-intermediate-ca-set-signed",
backend=self.pki_intermediate_ca_backend.id,
#certificate=backend_config.intermediate_ca_cert,
certificate=backend_config.intermediate_ca_pem_bundle,
)
)
self.pki_intermediate_ca_config_urls = pkisecret.SecretBackendConfigUrls(
"pki-intermediate-ca-config-url",
backend=self.pki_intermediate_ca_backend.id,
crl_distribution_points=[
f"{VAULT_API_URL}/backend_config.vault_intermediate_ca_backend_path/crl"
],
issuing_certificates=[
f"{VAULT_API_URL}/backend_config.vault_intermediate_ca_backend_path/ca"
],
)
self.register_outputs(
{"pki_intermediate_ca": self.pki_intermediate_ca_backend.id}
)
class OLVaultPKIIntermediateEnvBackendConfig(BaseModel):
environment_name: Text # e.g. mitx-qa
max_ttl: int = TWELVE_MONTHS
default_ttl: int = TWELVE_MONTHS
class OLVaultPKIIntermediateEnvBackend(ComponentResource):
"""
Create PKI Intermediate Backends per environment.
This should be used to create and configure an intermediate vault pki backend
in the specified environment. The certificate for this backend will be signed
by the pki-intermediate-ca which in turn is signed by our offline CA.
"""
def __init__(
self,
backend_config: OLVaultPKIIntermediateEnvBackendConfig,
opts: ResourceOptions = None,
):
super().__init__(
"ol:services:Vault:PKI:IntermediateEnvBackendConfig",
backend_config.environment_name,
None,
opts,
)
resource_options = ResourceOptions(parent=self).merge(opts) # type: ignore
self.pki_intermediate_environment_backend = Mount(
f"pki-intermediate-{backend_config.environment_name}",
opts=resource_options,
path=f"pki-intermediate-{backend_config.environment_name}",
type="pki",
description=f"Backend to create certs for pki-intermediate-{backend_config.environment_name} backends",
max_lease_ttl_seconds=backend_config.max_ttl,
default_lease_ttl_seconds=backend_config.default_ttl,
)
# Generate CSR for pki-intermediate-{env} backend
self.pki_intermediate_envrionment_cert_request = pkisecret.SecretBackendIntermediateCertRequest(
f"pki-intermediate-{backend_config.environment_name}-csr",
backend=self.pki_intermediate_environment_backend.id,
common_name=f"pki-intermediate-{backend_config.environment_name} Intermediate Authority",
type="internal",
country=CERTIFICATE_CONFIG["country"],
province=CERTIFICATE_CONFIG["state"],
locality=CERTIFICATE_CONFIG["city"],
organization=CERTIFICATE_CONFIG["organization"],
ou=CERTIFICATE_CONFIG["organizational_unit"],
postal_code=CERTIFICATE_CONFIG["zip_code"],
)
# Sign genereated CSR for pki-intermediate-{env} backend by pki-intermediate-ca
self.pki_intermediate_environment_signed_csr = pkisecret.SecretBackendRootSignIntermediate(
f"pki-intermediate-{backend_config.environment_name}-signed-csr",
backend="pki-intermediate-ca",
common_name=f"pki-intermediate-{backend_config.environment_name} Intermediate Authority",
csr=self.pki_intermediate_envrionment_cert_request.csr,
)
self.pki_intermediate_environment_set_signed = (
pkisecret.SecretBackendIntermediateSetSigned(
f"pki-intermediate-{backend_config.environment_name}-signed-cert",
backend=self.pki_intermediate_environment_backend.id,
certificate=self.pki_intermediate_environment_signed_csr.certificate,
)
)
self.pki_intermediate_environment_config_urls = (
pkisecret.SecretBackendConfigUrls(
f"pki-intermediate-{backend_config.environment_name}-config-url",
backend=self.pki_intermediate_environment_backend.id,
crl_distribution_points=[
f"{VAULT_API_URL}/backend_confg.environment_name/crl"
],
issuing_certificates=[
f"{VAULT_API_URL}/backend_confg.environment_name/ca"
],
)
)
self.register_outputs({})
ca_chain
on the intermediate environment CA, it only has one cert and not the full chainca_chain
intermediate-ca
has two certs in its ca_chain
and the intermediate-env-ca
which is signed by the intermediate-ca only has one cert in its ca_chainbillowy-army-68599
mysterious-area-77666
02/09/2021, 8:27 PMbillowy-army-68599
mysterious-area-77666
02/09/2021, 8:36 PMbillowy-army-68599
mysterious-area-77666
02/09/2021, 8:47 PM