Adds notes on renewing the wildcard

CA Notes.md

@@ -109,3 +109,87 @@ Reason can be one of:
 | 69:fe:ae:64:d6:5c:b7:9c:72:28:b5:cc:d7:43:a2:0a | Expires 2022-08-20T19:34:44+0000 | Salt Pillar: xdr_govcloud_wildcard_2021 | DNS:*.xdr.accenturefederalcyber.com, DNS:*.xdrtest.accenturefederalcyber.com, DNS:*.pvt.xdr.accenturefederalcyber.com, DNS:*.pvt.xdrtest.accenturefederalcyber.com | Notes |
 | e7:5b:b2:ba:5e:49:2f:8c:46:f3:53:20:ee:22:24:80 | Expires 2022-08-17T23:03:15+0000 |                                         |
 
+# Wildcard Cert Replacement Process
+
+The maximum expiration for SSL certificates is now 1 year.
+
+Every 6 months, we need to replace the wildcard certificate on our systems. To do so:
+0. Future todo: Revisit these steps to make it so nobody ever has to see the key nor store it locally.
+1. Edit `msoc-infrastructure/salt/pillar/mdr_wildcard_cert.sls`
+2. Under `xdr_wildcard`, rename `certificate` to `certificate_replaced_<date>`, and optionally remove any previous certificate backups.
+3. Save a copy of the private key to `wildcard.key` by either (be sure to remove any indentation):
+  a. Using gnupg to decrypt it, if it was encrypted with your key.
+  b. Use `salt \* pillar.get certs:xdr_wildcard:private_key`. 
+4. Generate a new CSR:
+```
+openssl req -new -key wildcard.key -nodes -out wildcard.csr \
+  -subj '/C=US/ST=Virginia/L=Fairfax/O=Accenture Federal Services/OU=Extended Detection and Response/CN=*.xdr.accenturefederalcyber.com/' \
+  -extensions san -config <( \
+  echo '[req]'; \
+  echo 'distinguished_name=req'; \
+  echo '[san]'; \
+  echo 'subjectAltName=DNS:*.xdr.accenturefederalcyber.com,DNS:*.xdrtest.accenturefederalcyber.com,DNS:*.pvt.xdr.accenturefederalcyber.com,DNS:*.pvt.xdrtest.accenturefederalcyber.com' \
+  echo '[ext]'; \
+  echo 'basicConstraints=CA:TRUE,pathlen:0')
+```
+5. Validate the request with: `openssl req -in wildcard.csr -noout -text -verify`
+6. Generate the policy for SANs
+```
+cat <<EOF > tmp.policy
+{
+  "Extensions": {
+    "SubjectAlternativeNames": [
+      { "DnsName": "xdr.accenturefederalcyber.com" },
+      { "DnsName": "xdrtest.accenturefederalcyber.com" },
+      { "DnsName": "*.xdr.accenturefederalcyber.com" },
+      { "DnsName": "*.xdrtest.accenturefederalcyber.com" },
+      { "DnsName": "*.pvt.xdr.accenturefederalcyber.com" },
+      { "DnsName": "*.pvt.xdrtest.accenturefederalcyber.com" }
+    ]
+  }
+}
+EOF
+```
+7. Sign the certificate and save the output
+```
+aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca issue-certificate \
+  --api-passthrough file://./tmp.policy \
+  --certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/05b83e94-f625-43e4-a9f2-c3d8f04410f9 \
+  --csr fileb://./wildcard.csr \
+  --signing-algorithm SHA512WITHECDSA \
+  --template-arn arn:aws-us-gov:acm-pca:::template/EndEntityCertificate_APIPassthrough/V1 \
+  --validity Value=365,Type=DAYS \
+  --output=json \
+  | jq -r .CertificateArn > wildcard.arn
+```
+arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/05b83e94-f625-43e4-a9f2-c3d8f04410f9/certificate/8ae39f3463e5e3cdc1156a5f22d25ba3
+8. Retrieve the certificate:
+```
+aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca get-certificate \
+    --certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/05b83e94-f625-43e4-a9f2-c3d8f04410f9 \
+    --certificate-arn $(cat wildcard.arn) \
+    --output text | sed 's/\t/\n/' > wildcard.crt
+```
+9.  Validate the certificate
+```
+openssl x509 -in wildcard.crt -noout -text
+```
+10. Update the certificate in `msoc-infrastructure/salt/pillar/mdr_wildcard_cert.sls` and do a PR. Validate that the chain has not changed.
+11. On the salt master, refresh pillars:
+```
+salt \* saltutil.pillar_refresh certs
+```
+12. In test, apply the following salt states:
+```
+salt \*-alsi-\* state.sls alsi --output-diff test=true
+salt mailrelay\* state.sls mailrelay --output-diff test=true
+salt phantom\* state.sls phantom --output-diff test=true
+salt rhsso\* state.sls rhsso --output-diff test=true
+salt fm-shared-search\* state.sls splunk.certificate_update --output-diff test=true
+salt \*splunk-\* state.sls splunk.certificate_update --output-diff test=true
+salt teleport\* state.sls teleport.config --output-diff test=true
+salt threatq\* state.sls threatquotient --output-diff test=true
+```
+13. PR to main, and repeat steps 11 and 12 in prod.
+14. Create a ticket to repeat in 6 months.
+15. Clean up: `rm -v wildcard*`. Ensure that the key is deleted.

OpenSSL Notes.md

@@ -51,10 +51,10 @@ EOF
 aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca issue-certificate \
   --api-passthrough file://./tmp.policy \
   --certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/05b83e94-f625-43e4-a9f2-c3d8f04410f9 \
-  --csr file://./wildcard.csr \
+  --csr fileb://./wildcard.csr \
   --signing-algorithm SHA512WITHECDSA \
   --template-arn arn:aws-us-gov:acm-pca:::template/EndEntityCertificate_APIPassthrough/V1 \
-  --validity Value=820,Type=DAYS
+  --validity Value=365,Type=DAYS
 ```
 
 Retrieve the certificate:
@@ -62,9 +62,7 @@ Retrieve the certificate:
 aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca get-certificate \
     --certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/05b83e94-f625-43e4-a9f2-c3d8f04410f9 \
     --certificate-arn OUTPUTFROMPREVIOUS \
-    --output text > tmp.crt
-# Fix the newline issue. I bet you spot it
-vim tmp.crt
+    --output text | sed 's/\t/\n/' > tmp.crt
 # Validate the certificate
 openssl x509 -in tmp.crt -noout -text
 ```