git-echo/linux_patch_manager
Private
Public Access
1
0
Fork 0
Code Releases 8 Wiki Activity
Files
master
linux_patch_manager/crates/pm-agent-client/certs/README.md
Draco-Lunaris-Echo 5fa1fef6c8
Some checks failed
CI Pipeline / Rust Format Check (push) Successful in 5s
CI Pipeline / Clippy Lints (push) Successful in 51s
CI Pipeline / Rust Unit Tests (push) Failing after 1m31s
CI Pipeline / Security Audit (push) Successful in 5s
CI Pipeline / Frontend Lint & Type Check (push) Successful in 14s
CI Pipeline / Build .deb & Release (push) Has been skipped
fix: remove committed private keys and add gitleaks CI 
- Remove all cert files from git tracking (git rm --cached)
  - crates/pm-agent-client/certs/client.key (private key)
  - crates/pm-agent-client/certs/client.crt (public cert)
  - crates/pm-agent-client/certs/ca.crt (public cert)
- Add .gitignore patterns for *.key, *.key.pem, certs/*.crt, certs/*.pem
- Update pm-agent-client doc examples to use std::fs::read() instead of include_bytes!
- Add gitleaks secret scanning job to CI workflow
- Update security-review.md with critical finding for Issue #12
- Add README.md to crates/pm-agent-client/certs/ explaining runtime cert generation

Private keys were dev/test only - no production key rotation needed.
Git history purge with filter-repo will follow after PR merge.

Co-authored-by: Draco Lunaris <331325+Draco-Lunaris@users.noreply.github.com>
2026-06-06 13:20:52 -05:00

1.1 KiB
Raw Permalink Blame History

Agent Client Certificates

⚠️ Private keys are NOT committed to version control.

This directory holds mTLS certificates used by pm-agent-client for testing. The entire directory is excluded from git via .gitignore.

Generating Test Certificates

Certificates are generated automatically on first run by the pm-ca service, or you can generate them manually for development:

# Create certs directory if it doesn't exist
mkdir -p crates/pm-agent-client/certs

# Generate using the pm-ca service (preferred)
# Or copy from /etc/patch-manager/certs/ on a deployed host

Production Deployment

Production certificates are managed by pm-ca at /etc/patch-manager/certs/. The pm-agent-client reads certificates from file paths configured in config.toml (agent_client_cert_path, agent_client_key_path, ca_cert_path).

Security

  • Never commit private keys (*.key, *.key.pem) to version control
  • The gitleaks CI check scans for accidentally committed secrets
  • See SECURITY.md and docs/security-review.md for full details