Conversation
Signed-off-by: Mike <mike.sul@foundries.io>
| $ cat <new-ca.pem> >> /tmp/cas.pem | ||
| $ fioctl keys ca update /tmp/cas.pem | ||
| ``` | ||
| `contrib/mk-tls-keypair.sh`. The `<pki-dir>` parameter is your factory's PKI directory that was generated |
There was a problem hiding this comment.
It looks simpler from end user perspective and it worked well for me.
Also, I am not sure that advising to run create_ca is correct at this context since it should have been run by fioctl keys ca create command and factory_ca.* files already exist at this point the pki directory.
We may suggest to run create_device_ca to create another device CA in addition to the existing local-ca and online. However, it's not necessary.
There was a problem hiding this comment.
it was a typo. I meant create_device_ca.
There was a problem hiding this comment.
I got stuck for a moment on a "dns-name". It would be good to add here as well that:
'dns-name' parameter is the valid DNS name where the EST server will run. The name has to match the one used by fioconfig
| ``` | ||
| curl -X POST --cert client.pem --key pkey.pem --cacert root.crt https://msul-ota:8443/.well-known/est/simplereenroll | ||
| Invalid content-type: . Must be application/pkcs10The CSR could not be decoded: asn1: syntax error: sequence truncated | ||
| ``` |
There was a problem hiding this comment.
It would be great to provide a step by step guide on a device certificate rotation by using command line utilities against the server.
| $ fioctl keys ca show --just-device-cas > /tmp/cas.pem | ||
| $ cat <new-ca.pem> >> /tmp/cas.pem | ||
| $ fioctl keys ca update /tmp/cas.pem | ||
| ``` |
There was a problem hiding this comment.
I think my ca_create typo confused you here. It should have be create_device_ca and these steps are very important to be run afterwards. Pointing to the docs won't make that totally obvious for this specific thing.
There was a problem hiding this comment.
It works for me without creation of additional CA. Why not use the existing one that is created by fioctl keys ca create (local-ca)?
There was a problem hiding this comment.
I guess that's a fair point. I was trying to push the person to create and not share CAs. But maybe that's better for the detailed docs.fio work we'll do.
There was a problem hiding this comment.
Agree, as simple as possible here, and the tough way, but secure/right in the foc.f.io.
3 participants
Signed-off-by: Mike mike.sul@foundries.io