Skip to main content

Certificate Management

Child Certificates

Once, we have a CA certificate and its private key obtained either from some registrar or self-generated, we can use it to generate a child certificate from the inside of the enclave. For this, we need to create a KMS key and set its policy such that it can only decrypt it from the enclave. More on this here.

We can then use the key to encrypt the private key of CA and then upload it in a s3 location:

REGION=us-east-2
AWS_ACCOUNT_ID=123456790
KMS_KEY_ID=arn:aws:kms:$REGION:$AWS_ACCOUNT_ID:key/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx

aws kms encrypt \
	--key-id $KMS_KEY_ID \
	--plaintext fileb:/path/to/ca.key \
	--query CiphertextBlob \
	--output text > /path/to/encrypted_ca.key

After encrypting the key, we can upload it to a s3 bucket:

BUCKET_NAME=oblv-deploy

aws s3 cp /path/to/encrypted_ca.key s3://$BUCKET_NAME/ca.key
aws s3 cp /path/to/ca.crt s3://$BUCKET_NAME/ca.crt

Now, we can use this CA certificate in our manifest and then deploy the enclave. The enclave will pull the certificated and encrypted key securely from s3 and then decrypt the key using the KMS key provided. It will then generate a child certificate and use this CA cert to sign it.

apiVersion: k8s.oblv.com/v1alpha1
kind: NitroEnclaveDeployment
...
spec:
  enclaveSpec:
    containers:
	    ...
		plugins:
			...
  caCertDetails:
    bucket: oblv-deploy
    caCertS3Key: "ca.crt"
    caEncryptedS3Key: "ca.key"
    awsRegion: <REGION>
    kmsKeyId: "arn:aws:kms:<REGION>:<ACCOUNT_ID>:key/xxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
    encryptionAlgorithm: "SYMMETRIC_DEFAULT"