Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

expand README on Cloud KMS deployment #476

Merged
merged 1 commit into from
Sep 19, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,15 @@ go run cmd/fetch-tsa-certs/fetch_tsa_certs.go \
--gcp-ca-parent="projects/<project>/locations/<region>/caPools/<ca-pool>" \
--output="chain.crt.pem"
```
If you are not using GCP, there are many possible options but the steps for setting up the certificates could be similar to the following:
* create a KMS private key (for example, in the AWS KMS)
* use this private key to create a CSR
* assuming you have an external (for example, corporate etc.) Certificate Authority entity
that can sign the CSR, make it sign the generated CSR and produce a certificate. Make
sure that the leaf certificate - the one that will be used to sign timestamping requests -
has the Timestamping EKU (Extended Key Usage) set and it is marked as Critical.
* if necessary, combine the CA, intermediate and leaf certificates into the certificate chain file. Verify the certificate chain format with [VerifyCertChain](https://github.com/sigstore/timestamp-authority/blob/main/pkg/x509/x509.go#L35) to ensure it is compatible with
what the `timestamp_server` expects.

Set `--timestamp-signer=kms`, provide the path to the chain with `--certificate-chain-path`,
and the KMS key with `--kms-key-resource`. The key should be prefixed with either `gcpkms://`, `azurekms://`, `awskms://`, or `hashivault://`.
Expand Down
Loading