AWS KMS documentation Unclear about fulcio HOT 7 OPEN

An incompatible key usage means that the x509 library failed to build a valid chain. I would confirm that your root and intermediate specifies Certificate Sign and CRL Sign only.

from fulcio.

My approach involved creating a simple CSR (can be anything) and using aws-kms-sign-csr to sign it. I then passed it to my root CSA and asked it to sign the CSR using the SubordinateCACertificate_PathLen0_APIPassthrough/V1 template. I gave it an ExtendedKeyUsageType of CODE_SIGNING and filled in all the usual subjects and common names when I passed the CSR through to the CA for signing. I was able to pass this information through using the --api-passthrough option, hence the need for that particular template.

The KMS key in particular was RSA_4096 and I passed it through to Fulcio using awskms:///<kms_arn> along with a certificate bundle containing both the root CA public key and the KMS backed intermediate public key I signed above.

I did all of this in terraform, but was able to achieve a nice reliable and repeatable pattern once I'd figured out all the steps I needed.

from fulcio.

@ChevronTango how are you going about signing the Private CA w/ KMS?

we've tried using the ca and cert created via kms-issuer , but keep getting errors, x509: certificate specifies an incompatible key usage, even tho we're following the correct spec via the certificate resource:

• https://github.com/sigstore/fulcio/blob/main/docs/certificate-specification.md

from fulcio.

Can you specify your certificate chain?

from fulcio.

Can you specify your certificate chain?

Yes, we've tried using a local key (which was then imported to KMS) to sign a Private CA created via openssl and that worked, but using kms-issuer hasn't seemed to work so far. We've tried including the CA it's created as well as the certificate it creates.

Any other suggestions in regards to creating/signing a Private CA using KMS?

from fulcio.

An incompatible key usage means that the x509 library failed to build a valid chain. I would confirm that your root and intermediate specifies Certificate Sign and CRL Sign only.

hmm, i think it's because the CA it creates doesn't have the correct usages select. don't think this is something you can change using kms-issuer:

        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication

from fulcio.

ah, i was able to get it working using step-ca. cheers 🍻

from fulcio.