Architecture #19492
Updated by Alexis Mousset almost 3 years ago
We need:
* The root and parent policy server's certificate in .pem format, in the @inputs/certs@ folder:
* @root.pem@
* @policy-server.pem@ (which can be a symbolic link to root.pem if it's not a different relay)
* A hash of the policy server public key in @rudder.json@ on all nodes, named @POLICY_SERVER_KEY_HASH@. This format is the one used in "HPKP":https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning#extracting_the_base64_encoded_public_key_information :
<pre>
# base64(sha256(x509pubkey.der))
openssl x509 -in my-certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
</pre>
It should looks like @sha256//YhKJKSzoTt2b5FP18fvpHo7fJYqQCjAa3HWY3tvRMwE=@
This hash should also be displayed in the node details.
(note to dev: check that the base64 algo is really the one used by openssl)