Lab-host cert delivery: integrate with wg-enroll USB flow #3

New issue

Open

opened 2026-04-29 23:45:34 -05:00 by max · 0 comments

max commented 2026-04-29 23:45:34 -05:00

Owner

Copy link

User intent (2026-04-29 conversation): the lab-host mTLS leaf cert (issued by wg-pki/scripts/issue-cis490-client-cert.sh) should be installed automatically as part of the wg-enroll USB enrollment flow, not hand-carried via tarball.

Today:

• wg-pki/scripts/issue-cis490-client-cert.sh <host_id> mints a leaf + bundles it as <host_id>.tar.
• The lab-host install script (scripts/install-lab-host.sh) does not touch certs — operator drops them at /etc/cis490/certs/{lab-host.pem,key,wg-ca.pem} by hand.

Desired:

• wg-enroll USBs carry an issued CIS490 client cert (or a pointer to one issued at enrollment time) that the enrollment process places at /etc/cis490/certs/.
• The lab-host shipper picks them up automatically at first run.

Cross-repo: this needs a coordinated change between spectral/wg-enroll and spectral/CIS490. Per the repo memory, wg-enroll itself stays creation-only — the cert can be embedded in the per-USB enrollment artifact rather than minted by wg-enroll at provision time.

Blocks: end-to-end Tier 0 smoke test from a real lab host. Until this lands, the manual tarball flow in wg-pki/README.md is the workaround.

User intent (2026-04-29 conversation): the lab-host mTLS leaf cert (issued by wg-pki/scripts/issue-cis490-client-cert.sh) should be installed automatically as part of the wg-enroll USB enrollment flow, not hand-carried via tarball. Today: - `wg-pki/scripts/issue-cis490-client-cert.sh <host_id>` mints a leaf + bundles it as `<host_id>.tar`. - The lab-host install script (`scripts/install-lab-host.sh`) does not touch certs — operator drops them at `/etc/cis490/certs/{lab-host.pem,key,wg-ca.pem}` by hand. Desired: - `wg-enroll` USBs carry an issued CIS490 client cert (or a pointer to one issued at enrollment time) that the enrollment process places at `/etc/cis490/certs/`. - The lab-host shipper picks them up automatically at first run. Cross-repo: this needs a coordinated change between `spectral/wg-enroll` and `spectral/CIS490`. Per the repo memory, wg-enroll itself stays creation-only — the cert can be embedded in the per-USB enrollment artifact rather than minted by wg-enroll at provision time. Blocks: end-to-end Tier 0 smoke test from a real lab host. Until this lands, the manual tarball flow in `wg-pki/README.md` is the workaround.

max referenced this issue from a commit 2026-04-30 00:56:08 -05:00

deploy-cis490-cert.sh: one-shot mint + scp + extract over wg0

max referenced this issue 2026-04-30 01:22:25 -05:00

elliott-lab: mTLS client cert needed — run deploy-cis490-cert.sh to unblock shipper #9

max referenced this issue from a commit 2026-04-30 01:30:32 -05:00

bootstrap: auto-issue mTLS leaves to enrolled lab hosts (closes #9, refs #3)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

Dev_REL3_050126

Dev_REL2_043026

Dev_REL1_043026

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: bolyai/CIS490#3

No description provided.