1Boulder's test environment contains four separate PKIs:
2* WFE (simulating the public WebPKI)
3* gRPC (simulating an internal PKI)
4* Redis (simulating another internal PKI)
5* Issuance
6
7In live deployment, the issuance PKI is a member of the global WebPKI, but we
8simulate them as separate PKIs here.
9
10The PKI used by WFE is under `test/wfe-tls/`, with `test/wfe-tls/minica.pem`
11serving as the root. There are no intermediates. Setting
12`test/wfe-tls/minica.pem` as a trusted root is sufficient to connect to the WFE
13over HTTPS. Currently there is only one end-entity certificate in this PKI, and
14that's all we expect to need. To validate HTTPS connections to a test-mode WFE
15in Python, set the environment variable `REQUESTS_CA_BUNDLE`. For Node, set
16`NODE_EXTRA_CA_CERTS`. These variables should be set to
17`/path/to/boulder/test/wfe-tls/minica.pem` (but only in testing environments!).
18Note that in the Python case, setting this environment variable may break HTTPS
19connections to non-WFE destinations. If causes problems for you, you may need to
20create a combined bundle containing `test/wfe-tls/minica.pem` in addition to the
21other relevant root certificates.
22
23The gRPC PKI is under `test/grpc-creds/`. Each Boulder component has two
24hostnames, each resolving to a different IP address in our test environment,
25plus a third hostname that resolves to both IP addresses. Certificates for these
26components contain all three hostnames, both test IP addresses, and are stored
27under `test/grpc-creds/SERVICE.boulder`.
28
29To issue new certificates in the WFE or gRPC PKI, install
30https://github.com/jsha/minica, cd to the directory containing `minica.pem` for
31the PKI you want to issue in, and run `minica -domains YOUR_NEW_DOMAINs`. If
32you're updating the gRPC PKI, please make sure to update
33`grpc-creds/generate.sh`.
34
35The issuance PKI consists of a RSA and ECDSA roots, several intermediates and
36cross-signed intermediates, and CRLs. These certificates and their keys are
37generated using the `ceremony` tool during integration testing. The private keys
38are stored in SoftHSM in the boulder repository root `.softhsm-tokens/` folder,
39and the public keys and certificates are written out to the boulder repository
40root in the `.hierarchy/` folder.
41
42To regenerate the issuance PKI files, run the following commands:
43
44 sudo rm -f .hierarchy/ .softhsm-tokens/
45 docker compose run -it boulder go run test/cert-ceremonies/generate.go
46
47Certificate `test-example.pem`, together with `test-example.key` are self-signed
48certs used in integration tests and were generated using:
49
50 openssl req -x509 -newkey rsa:4096 -keyout test-example.key -out test-example.pem -days 36500 -nodes -subj "/CN=www.example.com"
View as plain text