Ability to use Private Certificate Authority (CA) on Cloud Platform

[tariqhossain]

Background

• We are the DCES (Debt collection enforcement service) team. Our primary job is to send and receive data from MAAT Application (system which issues a decision about legal aid) and a 3rd party debt collection agency, who will collect debt from people who have been granted legal aid and who have to pay contribution amounts towards that legal aid
• We are building an API in order to send and receive that data between us and the 3rd party
• due to the sensitive nature of the payloads that will be sent we have opted to use mTLS to secure the transport of the payload
• our service is on Cloud Platform
• so we need the ability to use a Certificate Authority (CA) which can sign the CSR from our application as well as that of our 3rd party
• currently Cloud Platform does not have its ow Private CA but Dave Elliot has informed us that Mod Platform does have a Private CA
• He suggested one option could be to use the functionality from Mod Platforms CA but use it within Cloud Platform. He mentioned an approach called RAM - Resource Access Manager

Proposed user journey

• Our application would generate its own application key and CSR

• The CA would sign it and send an application certificate

• CA would send the the CA certificate to our application for us to store in their trust store

• The 3rd party application would generate its own application key and CSR

• The CA would sign it and send an application certificate back to them

• CA would send the the CA certificate to 3rd party for them to store in their trust store

• our application/3rd party application can use mTLS to send/receive data

• we are expecting the CA to manage rotation and renewal of certificates

Approach

• Dave Elliot did mention the CA on Mod Platform as one option
• unsure of what other options there are

Which part of the user docs does this impact

???

Communicate changes

???

• [ ] post for #cloud-platform-update
• [ ] Weeknotes item
• [ ] Show the Thing/P&A All Hands/User CoP
• [ ] Announcements channel

Questions / Assumptions

???

Definition of done

???

• [ ] readme has been updated
• [ ] user docs have been updated
• [ ] another team member has reviewed
• [ ] smoke tests are green
• [ ] prepare demo for the team

Reference

How to write good user stories

[davidkelliott]

From the team: We do have a working solution, but it was complex with a lot of moving parts. Having a private AWS CA would have simplified things and will do so for things like renewals and revocations. So its not something that is time critical now, but it would be useful going forward and useful for other teams on the cloud platform should they have a need to provide mTLS certs. (edited)

This is something we would potentially get as standard if we move CP accounts to MP.