From 511a486598561aae6ef820c29063c284a3b75faa Mon Sep 17 00:00:00 2001 From: Dmitry Savintsev Date: Wed, 13 Sep 2023 17:23:16 +0200 Subject: [PATCH] expand README on Cloud KMS deployment Signed-off-by: Dmitry Savintsev --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index 90af2d8b..bfcf4266 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,15 @@ go run cmd/fetch-tsa-certs/fetch_tsa_certs.go \ --gcp-ca-parent="projects//locations//caPools/" \ --output="chain.crt.pem" ``` +If you are not using GCP, there are many possible options but the steps for setting up the certificates could be similar to the following: +* create a KMS private key (for example, in the AWS KMS) +* use this private key to create a CSR +* assuming you have an external (for example, corporate etc.) Certificate Authority entity +that can sign the CSR, make it sign the generated CSR and produce a certificate. Make +sure that the leaf certificate - the one that will be used to sign timestamping requests - +has the Timestamping EKU (Extended Key Usage) set and it is marked as Critical. +* if necessary, combine the CA, intermediate and leaf certificates into the certificate chain file. Verify the certificate chain format with [VerifyCertChain](https://github.com/sigstore/timestamp-authority/blob/main/pkg/x509/x509.go#L35) to ensure it is compatible with +what the `timestamp_server` expects. Set `--timestamp-signer=kms`, provide the path to the chain with `--certificate-chain-path`, and the KMS key with `--kms-key-resource`. The key should be prefixed with either `gcpkms://`, `azurekms://`, `awskms://`, or `hashivault://`.