Generate a 2048-bit RSA private key and save it in the current directory as
ca.key
openssl genrsa -out $(pwd)/ca.key 2048
OBLV Deploy establishes an end-to-end TLS between the client and the enclave. For this, the enclave during boot generates a certificate, which it shares with the OBLV-CLI during the attestation request.
The certificate generated by the enclave is signed by the CA certificate provided in the manifest.
To generate a CA certificate we can use openssl
ca.key
openssl genrsa -out $(pwd)/ca.key 2048
openssl req -x509 -new -nodes -key $(pwd)/ca.key \
-sha256 \
-days 3650 -out $(pwd)/ssl/ca.crt \
-subj "/C=/ST=/L=/O=/OU=/CN=" \
-addext basicConstraints=critical,CA:TRUE
apiVersion: k8s.oblv.com/v1alpha1
kind: NitroEnclaveDeployment
...
spec:
enclaveSpec:
containers:
...
plugins:
...
caCertDetails:
bucket: oblv-deploy
caCertS3Key: "dev/certs/ca.crt"
caEncryptedS3Key: "dev/certs/ca.key"
awsRegion: <REGION>
kmsKeyId: "arn:aws:kms:<REGION>:<ACCOUNT_ID>:key/xxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
encryptionAlgorithm: "SYMMETRIC_DEFAULT"