Refreshing certificates

In the SBB PostgreSQL, an mTLS chain is used with server- and client- certificates.

The chain is generated using Chainsmith and (re)generated using this procedure.

Dependencies

• chainsmith
• nieuwe uitrol
• ansible

Work Instructions

1. Check the database request form and update Chainsmith configuration (if needed)

Adjust:

ansible/config/chainsmith_[ENV].yml

# If configuration changes are needed, create a merge request:

ENV=poc
git checkout dev -b "feature/chainsmith_$(printenv ENV).yml"
git add config/chainsmith\_$ENV.yml
git commit -m "New chainsmith config $ENV"
git push
#Use `glab`, or follow the link in the output of the `git push` command.
glab mr create

Ensure correct certificate extensions

• JDBC requires the following extensions (both client and server):

• keyUsages:

  • keyEncipherment
  • dataEncipherment
  • digitalSignature

• extendedKeyUsages:

  • serverAuth

2. Generate the new certificates

• When using chainsmith: Rerun Chainsmith
• When using bring your own certificates: byo server certs

Once the certificate rollout is complete, PostgreSQL and the application will run using the refreshed certificates.