-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS KMS documentation Unclear #1178
Comments
@ChevronTango how are you going about signing the Private CA w/ KMS? we've tried using the ca and cert created via kms-issuer , but keep getting errors, |
Can you specify your certificate chain? |
Yes, we've tried using a local key (which was then imported to KMS) to sign a Private CA created via openssl and that worked, but using kms-issuer hasn't seemed to work so far. We've tried including the CA it's created as well as the certificate it creates. Any other suggestions in regards to creating/signing a Private CA using KMS? |
An incompatible key usage means that the x509 library failed to build a valid chain. I would confirm that your root and intermediate specifies |
hmm, i think it's because the CA it creates doesn't have the correct usages select. don't think this is something you can change using kms-issuer:
|
ah, i was able to get it working using step-ca. cheers 🍻 |
My approach involved creating a simple CSR (can be anything) and using aws-kms-sign-csr to sign it. I then passed it to my root CSA and asked it to sign the CSR using the The KMS key in particular was RSA_4096 and I passed it through to Fulcio using I did all of this in terraform, but was able to achieve a nice reliable and repeatable pattern once I'd figured out all the steps I needed. |
Description
When trying to use AWS KMS to sign my certs in fulcsio using
awskms://[endpoint]/[arn]
it took me ages to realize that the endpoint was optional, but the trailing/
was not. It's not clear from the guidance that the correct prefix when not specifying the endpoint isawskms:///
. The documentation does show examples of this, but I spent longer than I care to admit not noticing 3 slashes and assuming it was meant to be just 2.There's also a lack of guidance around exactly what IAM role permissions you need in order to call AWS KMS from fulcio. I ended up reading through https://github.com/sigstore/sigstore/blob/main/pkg/signature/kms/aws/client.go to find the full list of commands that needed to be called.
The last point that is unclear is exactly how to go about setting up the certificate chain needed by fulcio to validate KMS. I'm using a Private CA to achieve this with some success, but its taken a very long time to figure out.
The text was updated successfully, but these errors were encountered: