From 3ba83373f3396b4fd706c3e0dd828b3945d1cd7d Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 5 Apr 2024 13:03:34 -0500
Subject: [PATCH] step-ca: Re-deploy (again) with DCH CA R2

Although most libraries support ED25519 signatures for X.509
certificates, Firefox does not.  This means that any certificate signed
by DCH CA R3 cannot be verified by the browser and thus will always
present a certificate error.

I want to migrate internal services that do not need certificates
that are trusted by default (i.e. they are only accessed programatically
or only I use them in the browser) back to using an internal CA instead
of the public *pyrocufflink.net* wildcard certificate.  For applications
like Frigate and UniFi Network, these need to be signed by a CA that
the browser will trust, so the ED25519 certificate is inappropriate.
Thus, I've decided to migrate back to DCH CA R2, which uses an EdDSA
signature, and can therefore be trusted by Firefox, etc.
---
 dch-root-ca/dch-root-ca.crt | 19 ++++++++++---------
 step-ca/README.md           | 11 ++++++-----
 step-ca/intermediate_ca.crt | 24 +++++++++++-------------
 step-ca/root_ca.crt         | 19 ++++++++++---------
 step-ca/secrets.yaml        |  4 ++--
 5 files changed, 39 insertions(+), 38 deletions(-)

diff --git a/dch-root-ca/dch-root-ca.crt b/dch-root-ca/dch-root-ca.crt
index e0235a5..6705c7a 100644
--- a/dch-root-ca/dch-root-ca.crt
+++ b/dch-root-ca/dch-root-ca.crt
@@ -1,11 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBgTCCATOgAwIBAgIUTf/ZBSJEi8IQb8Ndoxp4/tHB/lcwBQYDK2VwMEAxCzAJ
-BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxFzAVBgNVBAMMDkRD
-SCBSb290IENBIFIzMB4XDTI0MDIxNzIwMjkzNloXDTM0MDIxNzIwMjkzNlowQDEL
-MAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UEAwwO
-RENIIFJvb3QgQ0EgUjMwKjAFBgMrZXADIQDORylVcWcxwGDJvsJIc2NctfNfDaIU
-T6mLebahKdshaKM/MD0wHQYDVR0OBBYEFLZoxAHBvWqbLWMga/DAAlG9ido5MA8G
-A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMAUGAytlcANBANLV79joVd9s9bmL
-0a91HqvOotOnN/416Ek4UTl95jIqy/TvTfRjXX56wSALXqP1iYQM5i3zk3gVEhh4
-DaY+6wQ=
+MIIBxDCCAWqgAwIBAgIUbHz2tssa09zsHk+EdGD3QKprMKQwCgYIKoZIzj0EAwQw
+QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
+AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMwOTI0MjA1MzA5WhcNNDMwOTE5MjA1MzA5
+WjBAMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMRcwFQYD
+VQQDDA5EQ0ggUm9vdCBDQSBSMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2D
+NJHRcjuA19ZoprBKaxIfUxAbz6LigM7dgtO6+isaMlxRAVJmsITADIE/22RrUDgD
+Ofkt2iZTUjMrz3AxXhWjQjBAMB0GA1UdDgQWBBTM+d8kb1koGmKRtJs4gN9zYa+6
+oTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANI
+ADBFAiEA2Ka8mMiAFLmrFWt0dAml247re2+i4UPhyHcOBfNK+goCIHv+vEw7CHZQ
+irIa697nfe4KiXIMwHlAMS1+1QZohFDC
 -----END CERTIFICATE-----
diff --git a/step-ca/README.md b/step-ca/README.md
index 9bd7c56..2b16b13 100644
--- a/step-ca/README.md
+++ b/step-ca/README.md
@@ -10,18 +10,19 @@ OpenID Connect, mTLS, and more.
 
 ## Offline Root CA
 
-The *DCH Root CA R3* private key is managed externally from Step CA.  It is
+The *DCH Root CA R2* private key is managed externally from Step CA.  It is
 stored offline (on a flash drive in a fireproof safe).  Only the CA certificate
 is used by the online CA service, where it is provided to clients to include in
 as a trust anchor in their respective certificate stores.
 
-*DCH Root CA R3* replaces *DCH Root CA R2*, which never ended up being used,
-and *DCH Root CA R1*, which has not been used for some time.
+*DCH Root CA R2* replaces *DCH Root CA R1*, which has not been used for some
+time.  *DCH Root CA R3* also exists, but it is based on an ED25519 signature,
+which is not supported by Firefox.
 
 
 ## Online Intermediate CA
 
-Step CA manages the *DCH CA R3* intermediate certificate authority.  The
+Step CA manages the *DCH CA R2* intermediate certificate authority.  The
 private key for this CA is stored in the `intermediate_ca.key` file, encrypted
 with the password in `password`.  This key pair is needed by the online CA to
 sign end-entity certificates.
@@ -29,7 +30,7 @@ sign end-entity certificates.
 
 ### ACME Provisioner
 
-Hosts can obtain certificates signed by *DCH CA R3* using the ACME protocol.
+Hosts can obtain certificates signed by *DCH CA R2* using the ACME protocol.
 The CA will only sign certificates for names that map to addresses controlled
 by the requesting client.  For most machines, that means they can only get a
 certificate for their hostname.  Other names can be added using DNS CNAME
diff --git a/step-ca/intermediate_ca.crt b/step-ca/intermediate_ca.crt
index 2d9815e..cd43652 100644
--- a/step-ca/intermediate_ca.crt
+++ b/step-ca/intermediate_ca.crt
@@ -1,15 +1,13 @@
 -----BEGIN CERTIFICATE-----
-MIICTzCCAgGgAwIBAgIUDNTFsSYYl8xsEcg9kTatxvOSkmUwBQYDK2VwMEAxCzAJ
-BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxFzAVBgNVBAMMDkRD
-SCBSb290IENBIFIzMB4XDTI0MDIxNzIwMjk0M1oXDTI1MDIxNzIwMjk0M1owOzEL
-MAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDESMBAGA1UEAwwJ
-RENIIENBIFIzMCowBQYDK2VwAyEA50stJ8iW6/f+uECPxAJwpSfQDRQg4/AgKJY2
-lpd3uNijggEQMIIBDDAdBgNVHQ4EFgQUtiqtFaZZ/c4IfWXV5SjJIOPbmoowHwYD
-VR0jBBgwFoAUtmjEAcG9apstYyBr8MACUb2J2jkwEgYDVR0TAQH/BAgwBgEB/wIB
-ADALBgNVHQ8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMEwG
-CCsGAQUFBwEBBEAwPjA8BggrBgEFBQcwAoYwaHR0cHM6Ly9kdXN0aW4uaGF0Y2gu
-bmFtZS9kY2gtY2EvZGNoLXJvb3QtY2EuY3J0MDwGA1UdHwQ1MDMwMaAvoC2GK2h0
-dHBzOi8vZHVzdGluLmhhdGNoLm5hbWUvZGNoLWNhL2RjaC1jYS5jcmwwBQYDK2Vw
-A0EAACaKAJAKejpFXQV+mgPdDXaylvakc4rCEs1pFhPXbbMMGflNOeiiy+c+aMwt
-yfObaZ8/YiXxCSjL6/KzRSSjAQ==
+MIICCTCCAa+gAwIBAgIUZx82NjARN6f1jWUlq/mvaF7oscEwCgYIKoZIzj0EAwIw
+QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
+AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMxMDE2MDU0MTA4WhcNMjYxMDE2MDU0MTA4
+WjAUMRIwEAYDVQQDEwlkY2gtY2EgUjIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
+AAQ1rK98igj6Y5lbeP8HS1zqQCtkcmz8uk1jp4VgznWT3Q8BanjA55UHQi/xx4xz
+BYu4QIkJhtqcR5a7YXSr7fQvo4GyMIGvMB0GA1UdDgQWBBQGy1GZZxrCjGDiIGdR
+YhTMZZqhkTAfBgNVHSMEGDAWgBTM+d8kb1koGmKRtJs4gN9zYa+6oTASBgNVHRMB
+Af8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBhjBMBggrBgEFBQcBAQRAMD4wPAYIKwYB
+BQUHMAKGMGh0dHBzOi8vZHVzdGluLmhhdGNoLm5hbWUvZGNoLWNhL2RjaC1yb290
+LWNhLmNydDAKBggqhkjOPQQDAgNIADBFAiEAovkqUlWkbRXsoHrDv1AfHdox9gS2
+Fdq9wKfDk7H/aPoCIDs4CJBhdPh/a+HZZRQWxBTT3KbbdXAaiT+g/VyD+0qt
 -----END CERTIFICATE-----
diff --git a/step-ca/root_ca.crt b/step-ca/root_ca.crt
index e0235a5..6705c7a 100644
--- a/step-ca/root_ca.crt
+++ b/step-ca/root_ca.crt
@@ -1,11 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBgTCCATOgAwIBAgIUTf/ZBSJEi8IQb8Ndoxp4/tHB/lcwBQYDK2VwMEAxCzAJ
-BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxFzAVBgNVBAMMDkRD
-SCBSb290IENBIFIzMB4XDTI0MDIxNzIwMjkzNloXDTM0MDIxNzIwMjkzNlowQDEL
-MAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UEAwwO
-RENIIFJvb3QgQ0EgUjMwKjAFBgMrZXADIQDORylVcWcxwGDJvsJIc2NctfNfDaIU
-T6mLebahKdshaKM/MD0wHQYDVR0OBBYEFLZoxAHBvWqbLWMga/DAAlG9ido5MA8G
-A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMAUGAytlcANBANLV79joVd9s9bmL
-0a91HqvOotOnN/416Ek4UTl95jIqy/TvTfRjXX56wSALXqP1iYQM5i3zk3gVEhh4
-DaY+6wQ=
+MIIBxDCCAWqgAwIBAgIUbHz2tssa09zsHk+EdGD3QKprMKQwCgYIKoZIzj0EAwQw
+QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
+AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMwOTI0MjA1MzA5WhcNNDMwOTE5MjA1MzA5
+WjBAMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMRcwFQYD
+VQQDDA5EQ0ggUm9vdCBDQSBSMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2D
+NJHRcjuA19ZoprBKaxIfUxAbz6LigM7dgtO6+isaMlxRAVJmsITADIE/22RrUDgD
+Ofkt2iZTUjMrz3AxXhWjQjBAMB0GA1UdDgQWBBTM+d8kb1koGmKRtJs4gN9zYa+6
+oTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANI
+ADBFAiEA2Ka8mMiAFLmrFWt0dAml247re2+i4UPhyHcOBfNK+goCIHv+vEw7CHZQ
+irIa697nfe4KiXIMwHlAMS1+1QZohFDC
 -----END CERTIFICATE-----
diff --git a/step-ca/secrets.yaml b/step-ca/secrets.yaml
index 31e9626..92dab1f 100644
--- a/step-ca/secrets.yaml
+++ b/step-ca/secrets.yaml
@@ -10,8 +10,8 @@ metadata:
     app.kubernetes.io/part-of: step-ca
 spec:
   encryptedData:
-    intermediate_ca.key: AgA4MOOCi8WvBSqyGw6T1wrK7zGgC7kvHYNpgZpZlBq3ZcW4l2d/huT7SbpIUQZN8OhLsgsZqK73VisFRsTG//KrMsJ+CCv6DSpaoEEL0LzUFWVldK27oZ3CDfAo6pZS50M8DSzcA7foxvw7++DSnytS9ken6qu2Azf3iFOFetES23XMT7IIFfcJz+qgBVGIOrxYULj19Y3EZD++kgRM22pCSrnoOQHJV3DOE6SjMZfg9Nhbg7Z5jrpsoM5w7QXd3g8jfsOS0Yv+95CL5SgTtJBAPqVi/2bK7nPuQxGFBy/qhwktzeeagOgFwe5McnEL0aB8K7GQEhOeIiHNSf/AAffronCdGapHQcthAA9CD3P4qXHogiY6x6JgqOXaZ3/BNF4gIlEJoJV36Z51BZUpZLakqOcxw2XNungITq4XMZqUybyqq/oHZEjcqqwSgeHtGJ7aaCAdV1AK4J8kNYXSs0+JcKU+1BzCDTB2YY1nT3uXz5g2d6eLlAe3S6pLDBdZGfyXv4e/nS9ouhdQm9qknNt2hqLAkm5u2g0C6MWYqgCKKdWQBg0JrLvN799zOj5FOGFOEa+gA2t6WwpVeiuo/6Xhn2WtkU710cXdblROM/DWoiI7YUxG4GsmzZOG/1TsbGTPoP1+evxD+VxCIOag6yxBCHnrpUVyCwdp7GLH/+72KyKClhJLb/ub/MKKVTlsWk0JhP3EhfvChO4tbeFMjeGt7afuKKghRt3ZXjAAZFW28qx5oLvirRoUSKOdEU+jE0RWFFeB0Qac9Hz9BFM5iAhdlcpGOOi5bGeMqR/nGlTRV9oUENeopiHBvVXfXr88yumVDE7FzXy4RyC4hypQFddS7kVR3MYoA9c6hWrCAAiuooOKa1JhdfhdlvlQij9PAJW921ClBBXcB2ykcivcrJd6GPAzCHOj6cQjUDeTwarKqZGf1PdtNnCsU1r1V0MOqyuhNjZZ4ZoGEGlq3r3TJY8Hh/+w//ZTpbvHpTUD2rhQjXuVyzqBpU2z5SoFt23U7sV/8+LizZMKfJl9fveJU/CbZ3bGC756ZhpHykbX7bgy9Q0iBg9ke1w+7lepsZVZKhlfnQ==
-    password: AgAspVB0c402ymidL6YoRTRtmPekLZHlQXtZecftoakjm75OArueAnH+1dquknV4MJ7g8XUVLkguh4lKkNPxjCs2Jen5UM+aSxoqii/2KdTAIb1WINebDOhyj3lY8aZw9+qeDfc5590+x+8jASwm7rVf6QfGygdjwQ6D6xeNUC7xwU3bC8xH9mHq2wSKbI6iGAik4Di7Ma4bvm/nTNfB+Ogb7rdLoJsvDDFbZ1io3wWNJGsWleged2HRPPwkmGq7pkxE2xUpjgbqeWX0y8RbNLC6DwsE3mUce9hanfLvxJVCDMnbUKfUYUxULBMFpheT6lmyz1YgFu+NiuSFvX3An4PNfgeQ2Hl931qfoG9h2kX4wyYcJt0ELZ2tdcrSS7zWgNNx450LuWmGQPvhApLhH2U7CUsSrjbWS/NZKMHuZryp0sEtykoEOOtNezU5slSY/0aB9XWFDu78RaYJOZy1VqGy+ulWkhCFv+3D2MEF6JJXmI4RNTdWmUQx1hr85uTS9Xi6stovkLMHxrEJfDI581yZv7Z9DrSssp5U4Ydf3gjKN7UTgFXrSz25R7SJ4lYso7yHhka9L2YMuIuPS7iPg1F+RPjiG6KAxP3roqRfeMXP3LoDn/21pYsO1QNrq2fBLXaO8Wq0hRXaICZzGveWdeM8sIbjBNqxjb50YtmkF/bDI8BY/sogPWitzDDyNU3bVS5Qyl0AaTHasGzJ9Es26Q4C0GHLd3iVQq0GTSsmtUbZGg==
+    intermediate_ca.key: AgBArqvWXQHJwubw/7jOBtErH4BNpq+B1nsoTuhsmmE7COhRROko9wwYcfLfeJHkul1uXmp6JNmAde2xs6uJlbHwTDIRlUld2tAo2O20PHaDNq8/poqkk7LNnvjbwC73tul+Gxiot8WEfFM4eP98wYHePrX6q0/LAzyH/6Js8YgBKzLt4sIRi5E49m0C2s9uy5u1e3DcHNZTIlkntYi8zNmk+QEBHkqkeqvdGZ+yqH5e78AasF4qPfKw7WoFm3PH2/tKRfDpBXfvdTxrRy9FzqmmhdGVmbaeQcJ+Yl8H6qNd1BiqpAPkIDwAC9/LfH4Sd/iM59TdeOKsZpvEJZOyWLm1KbJz13wPfnGs/QvArwtuA95UQfzPYGFx9qur/nz3nsBvTvqFyAU+QHGSOnjig5ZppIb+Yr9foWuSqDV0qcfXEdjLzyc19lzS1e+itRLR1414Maaru4poPcg7xUQCs88oGvYAUi27p8xRXynGXtZwTK/GSWXFGxkzw1DtVcbGa/P23sCSnMLOsrajvvJYD2aCHZ6fKSUT+tddCoZhohM112uA6wNWBUx00uFgWUGZloe6MPVHnCStAwBxClXi+pREnSEk091nuSYzsTZarweUOJs8tLO2g2bEQ2BQCsCMbkNLjc6SSJa+Lu2Yb7uCUdwbLAZDf289f8SGmzsf/C7/Xbcmu0smrf5bb6ZUnacrWtCgrnPRJNMSXCY51awo3cj9c3X/v6pQVbjj+fTxDUIIaI9OcfvPJksapgsR8Olqffi8SlN3fvETOmVGVNAK11xy7qMmpz9Fck3z93NXUDNHMxteVic+8aHZgwv4wh+ixMldtCBiGWciavKWd7APSQjyvDwT4tTIi7QWa78+CBz/0Z3eDwDUHt5ryXlWeYRufrOTsGQJ9cfQgr8STgC00oghUaAtZ8y3cIOdVrwDCe1Yi9Dp2KlxzLLa+zYdagbmb8ygOZg65yW0Oy3q+sD1MSkrUQi/RDPjRB8kF+4t2MIZ00jQ7geIkhnh3TvislEqHbV5ZjKBZ2Gw4An+q4CB4EtM0DYKGGw7xvPyCqvs9E7WzSxyGL8+dNkEw/jASoHwJcufaXDXFgENuLn7OyCpsMMBZYti+V9SIOTNOQ==
+    password: AgAnwKicJ7yut9B3J22XYdqzGzHxh3kXCAozIZu9v1IxSTWb1txkF1aJM64ooog/IpUtoF88v6XzGTDDsAsbXtQbu7Y2s77zQXIOIj+Vri2kZAQyRdCDa70heUdPxo9haIizZvtJHH+dRxVqQ+YSXpPlbLag46RMvMHlUZjbPLxwTrOWVwHW2uVJJke7RiB99z1xOIV8nlD0NjdH9Ig1pnUikm4+GfiZBw/PjieYbjk5U8IABBfx1jjJPLFk2TlzsCyz8JyGr+Gf8DvCxRS43Wwtbn0ks2aFn/eZBMHK+XatjImtYSNUa4eIbjHD1RdQ03yZy83D8LdpYMl+z3PLYLrdIDkv7VBT875KjHoYGIMdjSkuNHuooOcdyJrN7bMRpODfzTXREoiY+4p1wHbLlOXOubxY/ULV6FAIMe9RSWVhmWMxV1INYwZuoNUr2pa29rBrIinF8Hc5Kcr2lhEZ9kpnrkC4MFpMjdW7QsOhpFnW2hIE2xWXc/vZgQ6q+8jJrMQwwrGcn+CEaFTSoVsXYaBwUnsOzMCNyHaNfyX03eQE9wNlXz0dppGoHJpb5ny+fviMhFS6kEXiieElRaTL8erGr0Ivtn+St5RaqD8mDpP36YrQ8YWpTMoyLSllRG4X1hiCorcjevZq2pJuP5+hs0HhtVW9vZS3iLGzHzjqyMJDvlml6Xd+AyvoylC38uncivF8NtHhIoeAgzlOZjYRxodPkLxAOfoVTlCzMexH+fsShwM=
   template:
     metadata:
       name: step-ca