Comments (7)
An incompatible key usage means that the x509 library failed to build a valid chain. I would confirm that your root and intermediate specifies Certificate Sign
and CRL Sign
only.
from fulcio.
My approach involved creating a simple CSR (can be anything) and using aws-kms-sign-csr to sign it. I then passed it to my root CSA and asked it to sign the CSR using the SubordinateCACertificate_PathLen0_APIPassthrough/V1
template. I gave it an ExtendedKeyUsageType of CODE_SIGNING and filled in all the usual subjects and common names when I passed the CSR through to the CA for signing. I was able to pass this information through using the --api-passthrough option, hence the need for that particular template.
The KMS key in particular was RSA_4096 and I passed it through to Fulcio using awskms:///<kms_arn>
along with a certificate bundle containing both the root CA public key and the KMS backed intermediate public key I signed above.
I did all of this in terraform, but was able to achieve a nice reliable and repeatable pattern once I'd figured out all the steps I needed.
from fulcio.
@ChevronTango how are you going about signing the Private CA w/ KMS?
we've tried using the ca and cert created via kms-issuer , but keep getting errors, x509: certificate specifies an incompatible key usage
, even tho we're following the correct spec via the certificate resource:
from fulcio.
Can you specify your certificate chain?
from fulcio.
Can you specify your certificate chain?
Yes, we've tried using a local key (which was then imported to KMS) to sign a Private CA created via openssl and that worked, but using kms-issuer hasn't seemed to work so far. We've tried including the CA it's created as well as the certificate it creates.
Any other suggestions in regards to creating/signing a Private CA using KMS?
from fulcio.
An incompatible key usage means that the x509 library failed to build a valid chain. I would confirm that your root and intermediate specifies
Certificate Sign
andCRL Sign
only.
hmm, i think it's because the CA it creates doesn't have the correct usages select. don't think this is something you can change using kms-issuer:
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
from fulcio.
ah, i was able to get it working using step-ca. cheers 🍻
from fulcio.
Related Issues (20)
- There is a typo
- Proposal: Integrate with attestation for hardware-backed keys HOT 7
- Allow for a configurable Gitlab url HOT 2
- ACME protocol for certificate issuance
- Add Shutdown behavior
- Do not block startup on OIDC providers being offline
- How does cosign verify use the privatized fulcio deployment? HOT 1
- add info into readme about local doc
- Allow configurable client signing algorithms HOT 11
- Issue while running sigstore locally HOT 3
- Fulcio doesn't pass http customization to go-oidc
- Request For Comment: Removing support for detached SCTs HOT 5
- Add support for release attestations HOT 3
- Dockerfiles use amd64-specific images HOT 1
- Make pkg/certificate/parseExtentions function public
- Codefresh OIDC provider support HOT 3
- [Windows] ctfe_init container "/bin/sh: 1: /root/logid.sh: not found" HOT 2
- Cosign failed to sing the image HOT 1
- TLS verification on OIDC Issuers HOT 2
- How can I get the CT log? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fulcio.