From cf88798992fc62810810378715b2839c061e1530 Mon Sep 17 00:00:00 2001 From: brenna-everett-caci Date: Fri, 11 Oct 2024 09:34:48 -0500 Subject: [PATCH] replace milmove api certs --- .envrc | 4 ++-- Dockerfile | 2 +- Dockerfile.local | 2 +- Dockerfile.reviewapp | 2 +- config/tls/README.md | 2 +- config/tls/dod-sw-ca-54.pem | 29 ----------------------------- config/tls/dod-sw-ca-75.pem | 29 +++++++++++++++++++++++++++++ 7 files changed, 35 insertions(+), 35 deletions(-) delete mode 100644 config/tls/dod-sw-ca-54.pem create mode 100644 config/tls/dod-sw-ca-75.pem diff --git a/.envrc b/.envrc index 691b82cf1f4..d986fd29f6d 100644 --- a/.envrc +++ b/.envrc @@ -207,9 +207,9 @@ export DEVLOCAL_AUTH=true export DOD_CA_PACKAGE="${MYMOVE_DIR}/config/tls/milmove-cert-bundle.p7b" # MyMove client certificate -# All of our DoD-signed certs are currently signed by DOD SW CA-66 +# All of our DoD-signed certs are currently signed by DOD SW CA-75 # This cannot be changed unless our certs are all resigned -MOVE_MIL_DOD_CA_CERT=$(cat "${MYMOVE_DIR}"/config/tls/dod-sw-ca-66.pem) +MOVE_MIL_DOD_CA_CERT=$(cat "${MYMOVE_DIR}"/config/tls/dod-sw-ca-75.pem) require MOVE_MIL_DOD_TLS_CERT "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal move_mil_dod_tls_cert'" require MOVE_MIL_DOD_TLS_KEY "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal move_mil_dod_tls_key'" export MOVE_MIL_DOD_CA_CERT diff --git a/Dockerfile b/Dockerfile index e72ab339c44..9d8fa4fc867 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ COPY bin/rds-ca-2019-root.pem /bin/rds-ca-2019-root.pem COPY bin/milmove /bin/milmove COPY config/tls/milmove-cert-bundle.p7b /config/tls/milmove-cert-bundle.p7b -COPY config/tls/dod-sw-ca-66.pem /config/tls/dod-sw-ca-66.pem +COPY config/tls/dod-sw-ca-75.pem /config/tls/dod-sw-ca-75.pem COPY swagger/* /swagger/ COPY build /build diff --git a/Dockerfile.local b/Dockerfile.local index 798f5d9c3e5..d64c11c34b4 100644 --- a/Dockerfile.local +++ b/Dockerfile.local @@ -27,7 +27,7 @@ COPY --from=builder --chown=root:root /home/circleci/project/bin/rds-ca-2019-roo COPY --from=builder --chown=root:root /home/circleci/project/bin/milmove /bin/milmove COPY config/tls/milmove-cert-bundle.p7b /config/tls/milmove-cert-bundle.p7b -COPY config/tls/dod-sw-ca-66.pem /config/tls/dod-sw-ca-66.pem +COPY config/tls/dod-sw-ca-66.pem /config/tls/dod-sw-ca-75.pem # While it's ok to have these certs copied locally, they should never be copied into Dockerfile. COPY config/tls/devlocal-ca.key /config/tls/devlocal-ca.key diff --git a/Dockerfile.reviewapp b/Dockerfile.reviewapp index 99fbf45409f..7de62db25f2 100644 --- a/Dockerfile.reviewapp +++ b/Dockerfile.reviewapp @@ -56,7 +56,7 @@ COPY migrations/app/secure /migrate/secure COPY migrations/app/migrations_manifest.txt /migrate/migrations_manifest.txt COPY config/tls/milmove-cert-bundle.p7b /config/tls/milmove-cert-bundle.p7b -COPY config/tls/dod-sw-ca-66.pem /config/tls/dod-sw-ca-66.pem +COPY config/tls/dod-sw-ca-66.pem /config/tls/dod-sw-ca-75.pem # While it's ok to have these certs copied locally, they should never be copied into Dockerfile. COPY config/tls/devlocal-ca.key /config/tls/devlocal-ca.key diff --git a/config/tls/README.md b/config/tls/README.md index 3591fec43c2..a3e9fa7e957 100644 --- a/config/tls/README.md +++ b/config/tls/README.md @@ -19,7 +19,7 @@ A description of the certificates in this directory will helpful: | `devlocal-faux-(air-force/all/army-hrc/coast-guard/marine-corps/navy)-orders.(cer/key)` | Certs signed by Devlocal CA for Orders API testing | | `devlocal-https.(key/pem)` | a self-signed TLS cert/key pair | | `devlocal-mtls.(cer/key)` | Certs signed by Devlocal CA for mTLS testing | -| `dod-sw-ca-66.pem` | DoD SW CA-66 package | +| `dod-sw-ca-75.pem` | DoD SW CA-75 package | | `dod-wcf-intermediate-ca-1-.pem` | DoD WCF Intermediate CA 1 for allowing TLS connectivity to AWS services in the BCAP | | `dod-wcf-root-ca-1-.pem` | DoD WCF Root CA 1 for allowing TLS connectivity to AWS services in the BCAP | | `ECA_Root_CA_4.cer` | ECA Root CA4. Issuer of IdenTrust ECA Component S23 | diff --git a/config/tls/dod-sw-ca-54.pem b/config/tls/dod-sw-ca-54.pem deleted file mode 100644 index 9116d5bd91a..00000000000 --- a/config/tls/dod-sw-ca-54.pem +++ /dev/null @@ -1,29 +0,0 @@ -subject=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD SW CA-54 -issuer=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3 ------BEGIN CERTIFICATE----- -MIIEjzCCA3egAwIBAgICASwwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCVVMx -GDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQL -EwNQS0kxFjAUBgNVBAMTDURvRCBSb290IENBIDMwHhcNMTYxMTIyMTM1MTI4WhcN -MjIxMTIzMTM1MTI4WjBaMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPVS5TLiBHb3Zl -cm5tZW50MQwwCgYDVQQLDANEb0QxDDAKBgNVBAsMA1BLSTEVMBMGA1UEAwwMRE9E -IFNXIENBLTU0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq0wnaj/j -ZzXRnZnNDN5rMZW7OmPPcrG+8IQW6oHretQqvj/HCnAyX3sl5TvT6bLCG4UfLBAx -4VRCvpsVW9fME/43E+N8pyUDjlhYe8BHO9e0RfbVjMgDh6tLagvjN3MfThg8E94C -6TRisdifkP6WonplO1sbv8YD49GjmBWLs8KtU3xzw/StQrwNfymY8aW4lXJQa/Ca -+FXzz/tRh7Mclrlz6QCzgdHAliWK4s5tsXDxeZls2/tvTaZQCVCiyccDdc//lYzL -UIwg3lnPcoV6CPhhw+QW4q42Y4oSu48Z9g/fAvqhrK1U0S9mHl1vWLDTHI3hkwmd -T/O2WgKh8nvx8wIDAQABo4IBXDCCAVgwHwYDVR0jBBgwFoAUbIqUonexgHIdgXoW -qvLczmbuRcAwHQYDVR0OBBYEFLC3KL8sBImKdCavqhOMAhBVgXmxMA4GA1UdDwEB -/wQEAwIBhjA9BgNVHSAENjA0MAsGCWCGSAFlAgELJDALBglghkgBZQIBCycwCwYJ -YIZIAWUCAQsqMAsGCWCGSAFlAgELOzASBgNVHRMBAf8ECDAGAQH/AgEAMAwGA1Ud -JAQFMAOAAQAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL2NybC5kaXNhLm1pbC9j -cmwvRE9EUk9PVENBMy5jcmwwbAYIKwYBBQUHAQEEYDBeMDoGCCsGAQUFBzAChi5o -dHRwOi8vY3JsLmRpc2EubWlsL2lzc3VlZHRvL0RPRFJPT1RDQTNfSVQucDdjMCAG -CCsGAQUFBzABhhRodHRwOi8vb2NzcC5kaXNhLm1pbDANBgkqhkiG9w0BAQsFAAOC -AQEAZF047yS8bq8lkMpoxFrJjmbdD1TNpjnWRmImQ32uPwNkrDbspNJ4GdqAh3N6 -ueIMcPUSmrIEs9GRZGJzOeTQ6tcQKCyWy+npsI1DQ/k5Xz0H375Bw17gnq2Bpjdy -s8zeg8I+2lDOjSNr7RgVWWB+2sVWXdvILx4Wkh6vX57uEud046HBmc4NeDiHAer8 -NIac5A7e379NRyuusNGXkAm3g7GsE/Y7MrFsKKsMlHb+gFXVgD0DBhtF22YqmA/R -QvTz7Ij1AD++Gv5I4IIzJFMryN6ED6XduWcTtk9Cnf0uY0z+VY8RFw9nOkECFc2b -BA8L2LlruBOzMWbFy4kH7G/hrA== ------END CERTIFICATE----- diff --git a/config/tls/dod-sw-ca-75.pem b/config/tls/dod-sw-ca-75.pem new file mode 100644 index 00000000000..5122262dddc --- /dev/null +++ b/config/tls/dod-sw-ca-75.pem @@ -0,0 +1,29 @@ +subject=C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD SW CA-75 +issuer=C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3 +-----BEGIN CERTIFICATE----- +MIIEjzCCA3egAwIBAgICBw0wDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCVVMx +GDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQL +EwNQS0kxFjAUBgNVBAMTDURvRCBSb290IENBIDMwHhcNMjIxMjA2MTcxMzQ5WhcN +MjgxMjA2MTcxMzQ5WjBaMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zl +cm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEVMBMGA1UEAxMMRE9E +IFNXIENBLTc1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApnAPVJmc +Tw1/cGRwEhvz4QrT3fo0fDuAsv0Q3zebDDAkR/E62jJgtKZ+bkrIJRRtcdGA5rKo +/6VeAUj3/30zRTE2ND0it8Uy6/lfUpUmbn0GfBOExiOjAZ81nHvSwWxTpOlC5EaX +jnd+AtjODlEDw/UwHsnsQUNj8/NJKJExMugQeyLn5jNPZvnof1rPLAk3SjvvwTxX ++kxWmyQyqQDNxIVKajLgBpETNemxFonDFjtwZj8O8Mew9VdS+3CTNZLzv9JjuYo8 +DI9DSapwHILyWQGQUE76DKoPy8Co9PS9cN6e2M5pWiTmtyx1XHXmpmSX7j3KUd3B +9yXmMnHdend0YwIDAQABo4IBXDCCAVgwHwYDVR0jBBgwFoAUbIqUonexgHIdgXoW +qvLczmbuRcAwHQYDVR0OBBYEFOhYrrNHrbtR3iANh/MV5Oo+vIs6MA4GA1UdDwEB +/wQEAwIBhjA9BgNVHSAENjA0MAsGCWCGSAFlAgELJDALBglghkgBZQIBCycwCwYJ +YIZIAWUCAQsqMAsGCWCGSAFlAgELOzASBgNVHRMBAf8ECDAGAQH/AgEAMAwGA1Ud +JAQFMAOAAQAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL2NybC5kaXNhLm1pbC9j +cmwvRE9EUk9PVENBMy5jcmwwbAYIKwYBBQUHAQEEYDBeMDoGCCsGAQUFBzAChi5o +dHRwOi8vY3JsLmRpc2EubWlsL2lzc3VlZHRvL0RPRFJPT1RDQTNfSVQucDdjMCAG +CCsGAQUFBzABhhRodHRwOi8vb2NzcC5kaXNhLm1pbDANBgkqhkiG9w0BAQsFAAOC +AQEAMgiAj14UkFscsZMJEeGsIW5t8MbNy9xbsvjCMpOqsAmcEHoloRuRNarPesoQ +hykz0mHyaTmMUXsGjfN4oQ/gHLn+F1k3Z+OHxo+DnSPTzOTSUghKnKF5UUrPDq6J +dIfLjWrPbLuPSKLxJlPqME1q962+ql+f5Mg5w9CeBi1ORJynkX/yz332sydCgQ3G +kLz8YRyvZH5Jrdg6vDQr4qFMt2kmBUIWq7UDI/G1fmUI7Q7R7qsfnyHhqOdUNBNi +is8yooe7hRBl0TaIiNCmItMFaTl7G38ZI8gL2prAGNHITpTjbaWrlC2CYCgtCoWo +GmlNqlYB/qPgCvk50sSvxFL7dQ== +-----END CERTIFICATE-----