Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

replace milmove api certs #13884

Merged
merged 2 commits into from
Oct 11, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .envrc
Original file line number Diff line number Diff line change
Expand Up @@ -207,9 +207,9 @@ export DEVLOCAL_AUTH=true
export DOD_CA_PACKAGE="${MYMOVE_DIR}/config/tls/milmove-cert-bundle.p7b"

# MyMove client certificate
# All of our DoD-signed certs are currently signed by DOD SW CA-66
# All of our DoD-signed certs are currently signed by DOD SW CA-75
# This cannot be changed unless our certs are all resigned
MOVE_MIL_DOD_CA_CERT=$(cat "${MYMOVE_DIR}"/config/tls/dod-sw-ca-66.pem)
MOVE_MIL_DOD_CA_CERT=$(cat "${MYMOVE_DIR}"/config/tls/dod-sw-ca-75.pem)
require MOVE_MIL_DOD_TLS_CERT "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal move_mil_dod_tls_cert'"
require MOVE_MIL_DOD_TLS_KEY "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal move_mil_dod_tls_key'"
export MOVE_MIL_DOD_CA_CERT
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ COPY bin/rds-ca-2019-root.pem /bin/rds-ca-2019-root.pem
COPY bin/milmove /bin/milmove

COPY config/tls/milmove-cert-bundle.p7b /config/tls/milmove-cert-bundle.p7b
COPY config/tls/dod-sw-ca-66.pem /config/tls/dod-sw-ca-66.pem
COPY config/tls/dod-sw-ca-75.pem /config/tls/dod-sw-ca-75.pem

COPY swagger/* /swagger/
COPY build /build
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile.local
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ COPY --from=builder --chown=root:root /home/circleci/project/bin/rds-ca-2019-roo
COPY --from=builder --chown=root:root /home/circleci/project/bin/milmove /bin/milmove

COPY config/tls/milmove-cert-bundle.p7b /config/tls/milmove-cert-bundle.p7b
COPY config/tls/dod-sw-ca-66.pem /config/tls/dod-sw-ca-66.pem
COPY config/tls/dod-sw-ca-66.pem /config/tls/dod-sw-ca-75.pem

# While it's ok to have these certs copied locally, they should never be copied into Dockerfile.
COPY config/tls/devlocal-ca.key /config/tls/devlocal-ca.key
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile.reviewapp
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ COPY migrations/app/secure /migrate/secure
COPY migrations/app/migrations_manifest.txt /migrate/migrations_manifest.txt

COPY config/tls/milmove-cert-bundle.p7b /config/tls/milmove-cert-bundle.p7b
COPY config/tls/dod-sw-ca-66.pem /config/tls/dod-sw-ca-66.pem
COPY config/tls/dod-sw-ca-66.pem /config/tls/dod-sw-ca-75.pem

# While it's ok to have these certs copied locally, they should never be copied into Dockerfile.
COPY config/tls/devlocal-ca.key /config/tls/devlocal-ca.key
Expand Down
2 changes: 1 addition & 1 deletion config/tls/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ A description of the certificates in this directory will helpful:
| `devlocal-faux-(air-force/all/army-hrc/coast-guard/marine-corps/navy)-orders.(cer/key)` | Certs signed by Devlocal CA for Orders API testing |
| `devlocal-https.(key/pem)` | a self-signed TLS cert/key pair |
| `devlocal-mtls.(cer/key)` | Certs signed by Devlocal CA for mTLS testing |
| `dod-sw-ca-66.pem` | DoD SW CA-66 package |
| `dod-sw-ca-75.pem` | DoD SW CA-75 package |
| `dod-wcf-intermediate-ca-1-.pem` | DoD WCF Intermediate CA 1 for allowing TLS connectivity to AWS services in the BCAP |
| `dod-wcf-root-ca-1-.pem` | DoD WCF Root CA 1 for allowing TLS connectivity to AWS services in the BCAP |
| `ECA_Root_CA_4.cer` | ECA Root CA4. Issuer of IdenTrust ECA Component S23 |
Expand Down
29 changes: 0 additions & 29 deletions config/tls/dod-sw-ca-54.pem

This file was deleted.

29 changes: 29 additions & 0 deletions config/tls/dod-sw-ca-75.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
subject=C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD SW CA-75
issuer=C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
-----BEGIN CERTIFICATE-----
MIIEjzCCA3egAwIBAgICBw0wDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCVVMx
GDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQL
EwNQS0kxFjAUBgNVBAMTDURvRCBSb290IENBIDMwHhcNMjIxMjA2MTcxMzQ5WhcN
MjgxMjA2MTcxMzQ5WjBaMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zl
cm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEVMBMGA1UEAxMMRE9E
IFNXIENBLTc1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApnAPVJmc
Tw1/cGRwEhvz4QrT3fo0fDuAsv0Q3zebDDAkR/E62jJgtKZ+bkrIJRRtcdGA5rKo
/6VeAUj3/30zRTE2ND0it8Uy6/lfUpUmbn0GfBOExiOjAZ81nHvSwWxTpOlC5EaX
jnd+AtjODlEDw/UwHsnsQUNj8/NJKJExMugQeyLn5jNPZvnof1rPLAk3SjvvwTxX
+kxWmyQyqQDNxIVKajLgBpETNemxFonDFjtwZj8O8Mew9VdS+3CTNZLzv9JjuYo8
DI9DSapwHILyWQGQUE76DKoPy8Co9PS9cN6e2M5pWiTmtyx1XHXmpmSX7j3KUd3B
9yXmMnHdend0YwIDAQABo4IBXDCCAVgwHwYDVR0jBBgwFoAUbIqUonexgHIdgXoW
qvLczmbuRcAwHQYDVR0OBBYEFOhYrrNHrbtR3iANh/MV5Oo+vIs6MA4GA1UdDwEB
/wQEAwIBhjA9BgNVHSAENjA0MAsGCWCGSAFlAgELJDALBglghkgBZQIBCycwCwYJ
YIZIAWUCAQsqMAsGCWCGSAFlAgELOzASBgNVHRMBAf8ECDAGAQH/AgEAMAwGA1Ud
JAQFMAOAAQAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL2NybC5kaXNhLm1pbC9j
cmwvRE9EUk9PVENBMy5jcmwwbAYIKwYBBQUHAQEEYDBeMDoGCCsGAQUFBzAChi5o
dHRwOi8vY3JsLmRpc2EubWlsL2lzc3VlZHRvL0RPRFJPT1RDQTNfSVQucDdjMCAG
CCsGAQUFBzABhhRodHRwOi8vb2NzcC5kaXNhLm1pbDANBgkqhkiG9w0BAQsFAAOC
AQEAMgiAj14UkFscsZMJEeGsIW5t8MbNy9xbsvjCMpOqsAmcEHoloRuRNarPesoQ
hykz0mHyaTmMUXsGjfN4oQ/gHLn+F1k3Z+OHxo+DnSPTzOTSUghKnKF5UUrPDq6J
dIfLjWrPbLuPSKLxJlPqME1q962+ql+f5Mg5w9CeBi1ORJynkX/yz332sydCgQ3G
kLz8YRyvZH5Jrdg6vDQr4qFMt2kmBUIWq7UDI/G1fmUI7Q7R7qsfnyHhqOdUNBNi
is8yooe7hRBl0TaIiNCmItMFaTl7G38ZI8gL2prAGNHITpTjbaWrlC2CYCgtCoWo
GmlNqlYB/qPgCvk50sSvxFL7dQ==
-----END CERTIFICATE-----