Skip to main content

Certificate Management

Self-Signed Certificates

OBLV Deploy establishes an end-to-end TLS between the client and the enclave. For this, the enclave during boot generates a certificate, which it shares with the OBLV-CLI during the attestation request.

The certificate generated by the enclave is signed by the CA certificate provided in the manifest.

To generate a CA certificate we can use openssl

  1. Generate a 2048-bit RSA private key and save it in the current directory as ca.key.
openssl genrsa -out $(pwd)/ca.key 2048
  1. Generate a self-signed X.509 certificate with a basic constraint CA:true, marking it as a Certificate Authority.
openssl req -x509 -new -nodes -key $(pwd)/ca.key \
		-sha256 \
		-days 3650 -out $(pwd)/ssl/ca.crt \
		-subj "/C=/ST=/L=/O=/OU=/CN=" \
		-addext basicConstraints=critical,CA:TRUE

  1. Encrypt the private key of the generated certificate using KMS key and put it in a secure s3 location. Place the public certificate in the s3 bucket as well (more on this here).

  2. We can then reference this bucket in our manifest.

apiVersion: k8s.oblv.com/v1alpha1
kind: NitroEnclaveDeployment
...
spec:
  enclaveSpec:
    containers:
	    ...
		plugins:
			...
  caCertDetails:
    bucket: oblv-deploy
    caCertS3Key: "dev/certs/ca.crt"
    caEncryptedS3Key: "dev/certs/ca.key"
    awsRegion: <REGION>
    kmsKeyId: "arn:aws:kms:<REGION>:<ACCOUNT_ID>:key/xxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
    encryptionAlgorithm: "SYMMETRIC_DEFAULT"