light tool to create/sign (via kms) fulcio/tsa certs (ca, leaf etc)

[ianhundere]

Description

cross posting this from https://github.com/sigstore/helm-charts/issues/863 as i'm thinking something like this would best live here.

[haydentherapper]

Hey Ian, I like this idea! Would this make sense as a utility in the fulcio or timestamp-authority repositories? I want to make sure the generated certificates are conformant with the Fulcio/RFC3161 standards respectively, and if you're planning to leverage libraries from these repositories already, then maybe it'd be easiest to have them maintained under their respective repos.

[ianhundere]

hey Hayden, that definitely makes more sense.

i wasn't planning on leveraging libraries from those respective repos, but it looks like there's some overlap.

i'm currently using the following packages/config templates to create/sign certs for fulcio and tsa:

**packages** ``` "context" "fmt" "math/big" "time" "crypto/x509" "crypto/x509/pkix" "encoding/json" "encoding/pem" "os" "go.step.sm/crypto/kms/apiv1" "go.step.sm/crypto/kms/awskms" "go.step.sm/crypto/kms/cloudkms" "go.step.sm/crypto/kms/azurekms" "go.step.sm/crypto/x509util" ``` **fulcio intermediate/leaf cert template** ``` { "subject": { "commonName": "https://blah.com" }, "issuer": { "commonName": "https://blah.com" }, "keyUsage": [ "certSign", "crlSign" ], "extKeyUsage": [ "CodeSigning" ], "basicConstraints": { "isCA": true, "maxPathLen": 0 } } ``` **tsa intermediate/leaf cert template** ``` { "subject": { "commonName": "https://blah.com" }, "issuer": { "commonName": "https://blah.com" }, "keyUsage": [ "certSign", "crlSign" ], "basicConstraints": { "isCA": false, "maxPathLen": 0 }, "extensions": [ { "id": "2.5.29.37", "critical": true, "value": "asn1Seq (asn1Enc oid:1.3.6.1.5.5.7.3.8) | toJson" } ] } ```

maybe have a utility with the expected cert standards (e.g. fulcio/rfc3161) and each lives in its respective repo?

lemme know, and i can open an issue for each respective repository and pivot there for discussing further.

btw, thanks for the quick response / feedback!

[ianhundere]

@haydentherapper / @bobcallaway

should i create a PR in each respective repo:

• https://github.com/sigstore/fulcio
• https://github.com/sigstore/timestamp-authority

or should we have it just live in the fulcio repo w/ the expectation that someone can grab it there if needed for tsa ?

[haydentherapper]

In each repo is good with me, I'll review the PRs.

[ianhundere]

sounds good / i'll open issues there and should have PRs up by the end of the week.

[ianhundere]

closing in favor of:

• https://github.com/sigstore/fulcio/issues/1869
• https://github.com/sigstore/timestamp-authority/issues/886