Rudder

We need:

• The root and parent policy server's certificate in .pem format, in the inputs/certs folder:
  • root.pem
  • policy-server.pem (which can be a symbolic link to root.pem if it's not a different relay)

• A hash of the policy server public key in rudder.json on all nodes, named POLICY_SERVER_KEY_HASH. This format is the one used in HPKP :

# base64(sha256(x509pubkey.der))
openssl x509 -in my-certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

It should looks like sha256//YhKJKSzoTt2b5FP18fvpHo7fJYqQCjAa3HWY3tvRMwE=

• change the format for SUB_NODES_KEYHASH from nodeInfo.sha256KeyHash to that one (ie: we need to add the base64 encoding, and change the sha256: to shat256//)

This hash should also be displayed in the node details.

(note to dev: check that the base64 algo is really the one used by openssl)