git-echo/linux_patch_api
Private
Public Access
1
0
Fork 0
Code Releases 32 Wiki Activity
Files
eac05ad1eb879b911c4376ee896bec483f76528a
linux_patch_api/configs/certs/README.md
Draco-Lunaris-Echo efaac33c47
Some checks failed
CI/CD Pipeline / Code Format (push) Successful in 3s
CI/CD Pipeline / Clippy Lints (push) Successful in 43s
CI/CD Pipeline / All Unit Tests (push) Successful in 1m12s
CI/CD Pipeline / Security Audit (push) Successful in 5s
CI/CD Pipeline / Enrollment Tests (push) Successful in 1m12s
CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 4s
CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 57s
CI/CD Pipeline / Build Debian Package (push) Failing after 4s
CI/CD Pipeline / Build RPM Package (push) Successful in 2m12s
CI/CD Pipeline / Build Arch Package (push) Successful in 2m18s
CI/CD Pipeline / Build Alpine Package (push) Failing after 3m7s
fix: remove committed private keys and add runtime cert generation (closes #12) 
- Remove all private key files from git tracking (git rm --cached)
  - configs/certs/ca.key.pem, server.key.pem, client001.key.pem
  - tests/e2e/certs/client.key
  - Also remove public certs from configs/certs/ (generated at runtime)
- Add .gitignore patterns for *.key, *.key.pem, configs/certs/*.pem, *.srl
- Add scripts/generate-dev-certs.sh for runtime test cert generation
- Update Python e2e test to generate certs on demand (ensure_certs())
- Update test_wrong_cert_connection to generate wrong-CA certs at runtime
- Add gitleaks secret scanning job to CI workflow
- Update SECURITY_FINDINGS_REPORT.md with critical finding for Issue #12
- Update SECURITY_CONTROLS_MATRIX.md evidence references
- Add README.md to configs/certs/ and tests/e2e/certs/

Private keys were dev/test only - no production key rotation needed.
Git history purge with filter-repo will follow after PR merge.

Co-authored-by: git-echo <git-echo@moon-dragon.us>
2026-06-06 13:20:43 -05:00

1.1 KiB
Raw Blame History

Development Certificates

⚠️ Private keys are NOT committed to version control.

This directory is used for local development certificates only. Private key files (*.key, *.key.pem) are excluded from git via .gitignore.

Generating Development Certificates

Run the generation script from the repository root:

./scripts/generate-dev-certs.sh

This creates:

  • ca.pem / ca.key.pem — Internal CA certificate and key
  • server.pem / server.key.pem — Server certificate and key
  • client001.pem / client001.key.pem — Client certificate and key
  • tests/e2e/certs/ — E2E test certificates

Production Deployments

Production deployments should use certificates issued by the organisation's internal CA. The install.sh script and systemd unit handle production certificate paths at /etc/linux_patch_api/certs/.

Security

  • Never commit private keys (*.key, *.key.pem) to version control
  • Private keys must have 0600 permissions in production
  • The gitleaks CI check scans for accidentally committed secrets
  • See SECURITY_FINDINGS_REPORT.md and SECURITY.md for full details