Generate a 2048-bit RSA private key and save it in the current directory as
ca.keyopenssl genrsa -out $(pwd)/ca.key 2048
Certificate Management
Self-Signed Certificates
OBLV Deploy establishes an end-to-end TLS between the client and the enclave. For this, the enclave during boot generates a certificate, which it shares with the OBLV-CLI during the attestation request.
The certificate generated by the enclave is signed by the CA certificate provided in the manifest.
To generate a CA certificate we can use openssl
1
2
Generate a self-signed X.509 certificate with a basic constraint CA:true, marking it as a Certificate Authority.
openssl req -x509 -new -nodes -key $(pwd)/ca.key \
-sha256 \
-days 3650 -out $(pwd)/ssl/ca.crt \
-subj "/C=/ST=/L=/O=/OU=/CN=" \
-addext basicConstraints=critical,CA:TRUE
3
Encrypt the private key of the generated certificate using KMS key and put it in a secure s3 location. Place the public certificate in the s3 bucket as well (more on this here).
4
We can then reference this bucket in our manifest.
apiVersion: k8s.oblv.com/v1alpha1
kind: NitroEnclaveDeployment
...
spec:
enclaveSpec:
containers:
...
plugins:
...
caCertDetails:
bucket: oblv-deploy
caCertS3Key: "dev/certs/ca.crt"
caEncryptedS3Key: "dev/certs/ca.key"
awsRegion: <REGION>
kmsKeyId: "arn:aws:kms:<REGION>:<ACCOUNT_ID>:key/xxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
encryptionAlgorithm: "SYMMETRIC_DEFAULT"