You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: docs/diagrams/README.md
+9-4
Original file line number
Diff line number
Diff line change
@@ -57,6 +57,7 @@ The [deployment diagram](./deployment.svg) provides a directional flow diagram t
57
57
### Certificates diagram
58
58
59
59
Certificates are used to secure the components that make up our API.
60
+
When trying to troubleshoot any issues, it is important to remember that we use **two** types of certificates in our authentication model, which realistically might have different expiration dates, and therefore would require distinct renewal processes.
60
61
61
62
There are two levels of authentication:
62
63
@@ -68,13 +69,17 @@ There are two levels of authentication:
68
69
- We store our CA certificate (truststore.pem) in an S3 bucket in order for API Gateway to verify the identity of a consumer application.
69
70
- We store our private key in a Kubernetes secret (api-gateway-certificate-authority) so that we can generate client certificates.
70
71
2. For the consumer application, we create a client certificate (client.pem), which includes their public key. We also create their private key (client.key).
71
-
3. We send both the client certificate (client.pem) and the private key (client.key) to the consumer application to be used for mutual TLS.
72
+
3. We send both the client certificate (client.pem) and the private key (client.key) to the consumer application to be used for mutual TLS.
73
+
4. To inspect the certificate, retrieve and decode the public key, using this command to get it: `kubectl get secret mutual-tls-auth -n hmpps-integration-api-$environment -o json | jq -r '.data."truststore-public-key"' | base64 --decode`. Then decode the SSL certificate.
72
74
73
75
**Client Certificate Authentication:**
74
76
1. We use Terraform to get API Gateway to create a client certificate (apigw_client.pem), which includes their public key.
75
-
- Behind the scenes, API Gateway also creates a private key (apigw_client.key) which we do not have access to.
76
-
2. We store the client certificate (apigw_client.pem) in a Kubernetes secret.
77
-
77
+
- The resource we use to instruct API Gateway to generate a client certificate is "aws_api_gateway_client_certificate".
78
+
- The public key is included in the certificate, while the private key (apigw_client.key) is managed internally by API Gateway and is not exposed.
79
+
2. The generated client certificate (apigw_client.pem) is retrieved and stored in a Kubernetes secret.
80
+
- The Terraform resource which stores the certificate is "kubernetes_secret".
81
+
- "kubernetes_secret" takes the PEM-encoded certificate from the API Gateway resource and stores it under a specified key (e.g., ca.crt) within the secret.
82
+
3. To inspect the certificate, retrieve and decode the public key, using this command to get it: `kubectl get secret client-certificate-auth -n hmpps-integration-api-$environment -o json | jq -r '.data."ca.crt"' | base64 --decode`. Then decode the SSL certificate.
0 commit comments