Federal Common Policy CA Update before June 2021

[felddy]

💡 Summary

The Federal Common Policy CA is being changed. See:

• https://playbooks.idmanagement.gov/fpki/common/
• https://github.com/GSA/fpki-guides/issues/841

Motivation and context

Once the current CA is decommissioned PIV authentication will fail.

Side note: GSA has an open call for distribution solutions that we might want to reply to:

We're calling for all solutions! If you'd like to share your agency's playbook on how to distribute a trusted root CA certificate to an operating system trust store, create an issue on GitHub or email us at fpkirootupdate@gsa.gov.

Implementation notes

We will need to verify that the new CA is published in the same "well-known" locations:

https://github.com/cisagov/ansible-role-openvpn/blob/5503a4ab691a0d46393102718da1b42840ff0960/files/fetch_user_ca_certs.sh#L12-L16

I expect that it will not and we should look here: http://repo.fpki.gov/fcpca/fcpcag2.crt

As documented here: https://playbooks.idmanagement.gov/fpki/common/obtain-and-verify/

Acceptance criteria

How do we know when this work is done?

• [ ] PIV authentication to OpenVPN continues to work after roots and intermediates are revoked in June 2021.

[jsf9k]

Note that cisagov/ansible-role-dhs-certificates will also need to be updated because of this change. This role may be the thing we want to submit to GSA's open call.

I created cisagov/ansible-role-dhs-certificates#5 to track this requirement.

[felddy]

Note: The FPKI site was reorganized and busted all the original links in the description. I've updated them to the new locations.

[dav3r]

@felddy - We are now in June 2021 and we should prioritize this work before everything breaks.

[felddy]

Too late.

[felddy]

It looks like our code did-the-right-thang™ and pulled in the new CAs. Good job past us.

https://www.youtube.com/watch?v=ir5bTic17k4