Skip to content
This repository was archived by the owner on Apr 6, 2026. It is now read-only.

AMCERTS-148 - Replace PKI with Openbao#142

Merged
drasko merged 22 commits into
absmach:mainfrom
nyagamunene:unify_smq_certs
Sep 4, 2025
Merged

AMCERTS-148 - Replace PKI with Openbao#142
drasko merged 22 commits into
absmach:mainfrom
nyagamunene:unify_smq_certs

Conversation

@nyagamunene

@nyagamunene nyagamunene commented Aug 22, 2025

Copy link
Copy Markdown
Contributor

What type of PR is this?

What does this do?

Which issue(s) does this PR fix/relate to?

Have you included tests for your changes?

Did you document any new/modified features?

Notes

@nyagamunene nyagamunene marked this pull request as ready for review August 27, 2025 11:52
@arvindh123 arvindh123 changed the title NOISSUE - Replace PKI with Openbao AMCERTS-148 - Replace PKI with Openbao Aug 27, 2025
@SammyOina SammyOina requested a review from WashingtonKK August 28, 2025 10:24

@WashingtonKK WashingtonKK left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rebase

@dborovcanin

Copy link
Copy Markdown
Contributor

@nyagamunene Please rebase.

@dborovcanin

Copy link
Copy Markdown
Contributor

@nyagamunene Please rebase.

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

@WashingtonKK WashingtonKK left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Image

OCSP fails
So does renew certs

Comment thread sdk/sdk.go Outdated
Comment thread docker/docker-compose.yml Outdated
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

@WashingtonKK WashingtonKK left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Fix tests
  • Update mocks

Comment thread api/http/transport.go
return json.NewEncoder(w).Encode(response)
}

func encodeOSCPResponse(_ context.Context, w http.ResponseWriter, response interface{}) error {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where was this moved?

Comment thread api/http/transport.go
defType = 1
)

type responseASN1 struct {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revert this change @nyagamunene

Comment thread api/http/transport.go
r.Post("/ocsp", otelhttp.NewHandler(kithttp.NewServer(
ocspEndpoint(svc),
decodeOCSPRequest,
encodeOSCPResponse,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revert

Comment thread api/logging.go
return lm.svc.ViewCert(ctx, serialNumber)
}

func (lm *loggingMiddleware) OCSP(ctx context.Context, serialNumber string) (cert *certs.Certificate, ocspStatus int, rootCACert *x509.Certificate, err error) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revert

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revert

This might be hard since openbao doesn't have an OCSP endpoint and from the rootCA we cant get the crypto.Signer to create the ocsp

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
@dborovcanin

Copy link
Copy Markdown
Contributor

@nyagamunene CI is failing.

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
SammyOina
SammyOina previously approved these changes Sep 4, 2025
WashingtonKK
WashingtonKK previously approved these changes Sep 4, 2025
@WashingtonKK

Copy link
Copy Markdown
Contributor

Please fix tests @nyagamunene

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
@nyagamunene nyagamunene dismissed stale reviews from WashingtonKK and SammyOina via f4c1bd9 September 4, 2025 13:20
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
@drasko drasko merged commit 1c8dc66 into absmach:main Sep 4, 2025
3 checks passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Feature: Replace PKI with Openbao

6 participants