


Architecture #19492

Updated by François ARMAND about 3 years ago

We need: 

 * The root and parent policy server's certificate in .pem format, in the @inputs/certs@ folder: 

   * @root.pem@ 
   * @policy-server.pem@ (which can be a symbolic link to root.pem if it's not a different relay) 

 * A hash of the policy server public key in @rudder.json@ on all nodes, named @POLICY_SERVER_KEY_HASH@. This format is the one used in "HPKP": :  

 # base64(sha256(x509pubkey.der)) 
 openssl x509 -in my-certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 

 It should looks like @sha256//YhKJKSzoTt2b5FP18fvpHo7fJYqQCjAa3HWY3tvRMwE=@ 

 * change the format for @SUB_NODES_KEYHASH@ from @nodeInfo.sha256KeyHash@ to that one (ie: we need to add the base64 encoding, and change the @sha256:@ to @shat256//@) 

 This hash should also be displayed in the node details. 

 (note to dev: check that the base64 algo is really the one used by openssl)
