Closed felddy closed 3 years ago
Note that cisagov/ansible-role-dhs-certificates will also need to be updated because of this change. This role may be the thing we want to submit to GSA's open call.
I created cisagov/ansible-role-dhs-certificates#5 to track this requirement.
Note: The FPKI site was reorganized and busted all the original links in the description. I've updated them to the new locations.
@felddy - We are now in June 2021 and we should prioritize this work before everything breaks.
Too late.
It looks like our code did-the-right-thangâ„¢ and pulled in the new CAs. Good job past us.
💡 Summary
The Federal Common Policy CA is being changed. See:
Motivation and context
Once the current CA is decommissioned PIV authentication will fail.
Side note: GSA has an open call for distribution solutions that we might want to reply to:
Implementation notes
We will need to verify that the new CA is published in the same "well-known" locations:
https://github.com/cisagov/ansible-role-openvpn/blob/5503a4ab691a0d46393102718da1b42840ff0960/files/fetch_user_ca_certs.sh#L12-L16
I expect that it will not and we should look here: http://repo.fpki.gov/fcpca/fcpcag2.crt
As documented here: https://playbooks.idmanagement.gov/fpki/common/obtain-and-verify/
Acceptance criteria
How do we know when this work is done?