feat: add A2 & M1 CAs

README.md

@@ -5,18 +5,18 @@ This is the B4CKSP4CE internal Certificate Authority. It is used to sign certifi
 1. Don't trust this CA. Just don't.
 2. Wherever you need it, enable this CA only for your particular application. Never install it to system trust stores.
 3. This CA uses a secp384r1 ECDSA with SHA256 defaults. RSA-3072 is also supported for selected intermediates.
-4. Every intermediate CA should have strict restricted-first Name Constraints.
+4. Every intermediate CA have strict restricted-first Name Constraints.
 
 ## Overview
 
 1. Root CA is stored on HSM in RØ team possession.
-2. DKEK-encrypted Root CA key is backed up in three locations.
-3. HSM DKEK (Device Key Encryption Key) backup is 3-of-5 split between RØ team members.
+2. Root CA is backed up on two encrypted offline devices, one offsite and one onsite.
+3. Backup key is divided into 5 shares using Shamir's Secret Sharing Scheme. Each share holded by a different resident.
 
 ## Security Contact
 
 Please find a ssh-ed25519 public key and email address in the snippet below.
-Expect all replies to be signed with this key.
+Expect all replies to be signed with this key. You may encrypt your message using this key with [age](https://age-encryption.org/).
 
 ```sh
 # Extract the public key from the Root CA certificate
@@ -42,7 +42,7 @@ openssl dgst -sha256 -verify root-ca.pub -signature noc-contact-proof.asc -binar
 
 ### B4CKSP4CE A1
 
-Intermediate CA for infrastructure services.
+Intermediate CA for infrastructure Services.
 
 - **Serial Number**: `16632377EC648A4F`
 - **SHA1 Fingerprint**: `65:DC:74:93:74:96:53:A8:C9:47:C2:70:2B:E0:56:05:0C:C3:FE:92`
@@ -51,3 +51,38 @@ Intermediate CA for infrastructure services.
 - **Not After**: 19 October 2039 23:59:59 UTC
 - **Revocation List**: [CRL](./a1/revoke.crl)
 - **Certificate**: [PEM](./a1/bksp-a1.pem), [TXT](./a1/bksp-a1.txt)
+- **Name Constraints**:
+  - **DNS**: `.svc.bksp.in`
+  - **DNS**: `.svc.0x08.in`
+  - **IP**: `10.0.2.0/23`
+  - **IP**: `FD91:652E:271A::/48`
+
+### B4CKSP4CE A2
+
+Intermediate CA for internal Devices.
+
+- **Serial Number**: `781257F3BBF281E2`
+- **SHA1 Fingerprint**: `D2:FA:5A:34:65:FF:DE:65:DE:28:BF:99:76:EE:2C:64:3F:50:4A:6F`
+- **SHA256 Fingerprint**: `89:5D:98:C6:C0:2F:BA:0A:1E:9C:00:DF:8B:EE:E5:B8:42:08:43:C8:0A:F5:2C:AF:AE:22:AC:5B:C8:36:37:CB`
+- **Not Before**: 22 October 2024 00:00:00 UTC
+- **Not After**: 21 October 2039 23:59:59 UTC
+- **Revocation List**: [CRL](./a2/revoke.crl)
+- **Certificate**: [PEM](./a2/bksp-a2.pem), [TXT](./a2/bksp-a2.txt)
+- **Name Constraints**:
+  - **DNS**: `.int.bksp.in`
+  - **IP**: `10.0.2.0/23`
+  - **IP**: `FD91:652E:271A::/48`
+
+### B4CKSP4CE M1
+
+Intermediate CA for Testing.
+
+- **Serial Number**: `37172756DF4C9AA8`
+- **SHA1 Fingerprint**: `76:82:86:66:8D:9F:F3:B1:97:1D:15:2E:BB:55:7E:2E:06:65:DE:40`
+- **SHA256 Fingerprint**: `A4:38:55:F3:52:D2:52:D5:CE:BC:7F:E2:C7:99:33:E4:8B:CA:50:C8:B0:FC:42:16:B3:B0:95:B3:5E:10:72:50`
+- **Not Before**: 22 October 2024 00:00:00 UTC
+- **Not After**: 21 October 2039 23:59:59 UTC
+- **Revocation List**: [CRL](./m1/revoke.crl)
+- **Certificate**: [PEM](./m1/bksp-m1.pem), [TXT](./m1/bksp-m1.txt)
+- **Name Constraints**:
+  - **DNS**: `.test.ca.bksp.in`

a2/bksp-a2.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICkzCCAhmgAwIBAgIIeBJX87vygeIwCgYIKoZIzj0EAwIwPTELMAkGA1UEBhMC
+UlUxEjAQBgNVBAoTCUI0Q0tTUDRDRTEaMBgGA1UEAxMRQjRDS1NQNENFIFJvb3Qg
+Q0EwHhcNMjQxMDIyMDAwMDAwWhcNMzkxMDIxMjM1OTU5WjA4MQswCQYDVQQGEwJS
+VTESMBAGA1UEChMJQjRDS1NQNENFMRUwEwYDVQQDEwxCNENLU1A0Q0UgQTIwdjAQ
+BgcqhkjOPQIBBgUrgQQAIgNiAAT7OGKDHiBcdcYr4b/I4vVwCIdOTamPWqP25eSt
+qfWZ2vBUFcpMw89Ipt4sBo57YY5lGvhUuEVHrVYDxDeDMq1TV5p8zeivr76mh88p
+KT0388lIo2UR8gRUCJz7ZUy4A6SjgeowgecwEgYDVR0TAQH/BAgwBgEB/wIBADAd
+BgNVHQ4EFgQU9KmZY8qi5LaygTRGZqpEmABP68wwHwYDVR0jBBgwFoAUzj1SwIlP
+V2Leax2jx0yt51YTWOUwDgYDVR0PAQH/BAQDAgEGMDQGA1UdHwEB/wQqMCgwJqAk
+oCKGIGh0dHBzOi8vY2EuYmtzcC5pbi9hMi9yZXZva2UuY3JsMEsGA1UdHgREMEKg
+QDAOggwuaW50LmJrc3AuaW4wCocICgACAP///gAwIocg/ZFlLicaAAAAAAAAAAAA
+Af2RZS4nGv////////////8wCgYIKoZIzj0EAwIDaAAwZQIxAMQcyAhPU5M7sGk+
+ttwzMkZncNF7vMxlcqdq/XshiXTyZIP2gf9c5A+S0hfQVFdo1QIwJuVF+PHXt3pa
+Ar5aA9SsWzyZEWhJDXzXL9HfUHjXaPLAI/zNNI0w2YauB1caOi0N
+-----END CERTIFICATE-----
+

a2/bksp-a2.txt

@@ -0,0 +1,64 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 8652074538474045922 (0x781257f3bbf281e2)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C=RU, O=B4CKSP4CE, CN=B4CKSP4CE Root CA
+        Validity
+            Not Before: Oct 22 00:00:00 2024 GMT
+            Not After : Oct 21 23:59:59 2039 GMT
+        Subject: C=RU, O=B4CKSP4CE, CN=B4CKSP4CE A2
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:fb:38:62:83:1e:20:5c:75:c6:2b:e1:bf:c8:e2:
+                    f5:70:08:87:4e:4d:a9:8f:5a:a3:f6:e5:e4:ad:a9:
+                    f5:99:da:f0:54:15:ca:4c:c3:cf:48:a6:de:2c:06:
+                    8e:7b:61:8e:65:1a:f8:54:b8:45:47:ad:56:03:c4:
+                    37:83:32:ad:53:57:9a:7c:cd:e8:af:af:be:a6:87:
+                    cf:29:29:3d:37:f3:c9:48:a3:65:11:f2:04:54:08:
+                    9c:fb:65:4c:b8:03:a4
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Subject Key Identifier: 
+                F4:A9:99:63:CA:A2:E4:B6:B2:81:34:46:66:AA:44:98:00:4F:EB:CC
+            X509v3 Authority Key Identifier: 
+                CE:3D:52:C0:89:4F:57:62:DE:6B:1D:A3:C7:4C:AD:E7:56:13:58:E5
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: critical
+                Full Name:
+                  URI:https://ca.bksp.in/a2/revoke.crl
+            X509v3 Name Constraints: 
+                Permitted:
+                  DNS:.int.bksp.in
+                  IP:10.0.2.0/255.255.254.0
+                  IP:FD91:652E:271A:0:0:0:0:1/FD91:652E:271A:FFFF:FFFF:FFFF:FFFF:FFFF
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:65:02:31:00:c4:1c:c8:08:4f:53:93:3b:b0:69:3e:b6:dc:
+        33:32:46:67:70:d1:7b:bc:cc:65:72:a7:6a:fd:7b:21:89:74:
+        f2:64:83:f6:81:ff:5c:e4:0f:92:d2:17:d0:54:57:68:d5:02:
+        30:26:e5:45:f8:f1:d7:b7:7a:5a:02:be:5a:03:d4:ac:5b:3c:
+        99:11:68:49:0d:7c:d7:2f:d1:df:50:78:d7:68:f2:c0:23:fc:
+        cd:34:8d:30:d9:86:ae:07:57:1a:3a:2d:0d
+-----BEGIN CERTIFICATE-----
+MIICkzCCAhmgAwIBAgIIeBJX87vygeIwCgYIKoZIzj0EAwIwPTELMAkGA1UEBhMC
+UlUxEjAQBgNVBAoTCUI0Q0tTUDRDRTEaMBgGA1UEAxMRQjRDS1NQNENFIFJvb3Qg
+Q0EwHhcNMjQxMDIyMDAwMDAwWhcNMzkxMDIxMjM1OTU5WjA4MQswCQYDVQQGEwJS
+VTESMBAGA1UEChMJQjRDS1NQNENFMRUwEwYDVQQDEwxCNENLU1A0Q0UgQTIwdjAQ
+BgcqhkjOPQIBBgUrgQQAIgNiAAT7OGKDHiBcdcYr4b/I4vVwCIdOTamPWqP25eSt
+qfWZ2vBUFcpMw89Ipt4sBo57YY5lGvhUuEVHrVYDxDeDMq1TV5p8zeivr76mh88p
+KT0388lIo2UR8gRUCJz7ZUy4A6SjgeowgecwEgYDVR0TAQH/BAgwBgEB/wIBADAd
+BgNVHQ4EFgQU9KmZY8qi5LaygTRGZqpEmABP68wwHwYDVR0jBBgwFoAUzj1SwIlP
+V2Leax2jx0yt51YTWOUwDgYDVR0PAQH/BAQDAgEGMDQGA1UdHwEB/wQqMCgwJqAk
+oCKGIGh0dHBzOi8vY2EuYmtzcC5pbi9hMi9yZXZva2UuY3JsMEsGA1UdHgREMEKg
+QDAOggwuaW50LmJrc3AuaW4wCocICgACAP///gAwIocg/ZFlLicaAAAAAAAAAAAA
+Af2RZS4nGv////////////8wCgYIKoZIzj0EAwIDaAAwZQIxAMQcyAhPU5M7sGk+
+ttwzMkZncNF7vMxlcqdq/XshiXTyZIP2gf9c5A+S0hfQVFdo1QIwJuVF+PHXt3pa
+Ar5aA9SsWzyZEWhJDXzXL9HfUHjXaPLAI/zNNI0w2YauB1caOi0N
+-----END CERTIFICATE-----

a2/revoke.crl

@@ -0,0 +1,9 @@
+-----BEGIN X509 CRL-----
+MIIBEDCBmAIBATAKBggqhkjOPQQDAjA4MQswCQYDVQQGEwJSVTESMBAGA1UEChMJ
+QjRDS1NQNENFMRUwEwYDVQQDEwxCNENLU1A0Q0UgQTIXDTI0MTAyMjAwMDAwMFoX
+DTI1MTAyMTIzNTk1OVqgLzAtMB8GA1UdIwQYMBaAFPSpmWPKouS2soE0RmaqRJgA
+T+vMMAoGA1UdFAQDAgEBMAoGCCqGSM49BAMCA2cAMGQCMBsc/VlT+p2U0bmIxW++
+d7ysK5gi6p7ltWBL8rrR9IKEIcBR4xX3ZiY51bFxcD1sWAIwfT+bCZBPulZMI49n
+gI1fM2cjesvt/GF3f62WUCEadfAPC7meS45o+38ZOPm876V+
+-----END X509 CRL-----
+

m1/bksp-m1.pem

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICZzCCAe2gAwIBAgIINxcnVt9MmqgwCgYIKoZIzj0EAwIwPTELMAkGA1UEBhMC
+UlUxEjAQBgNVBAoTCUI0Q0tTUDRDRTEaMBgGA1UEAxMRQjRDS1NQNENFIFJvb3Qg
+Q0EwHhcNMjQxMDIyMDAwMDAwWhcNMzkxMDIxMjM1OTU5WjA4MQswCQYDVQQGEwJS
+VTESMBAGA1UEChMJQjRDS1NQNENFMRUwEwYDVQQDEwxCNENLU1A0Q0UgTTEwdjAQ
+BgcqhkjOPQIBBgUrgQQAIgNiAAQtWdZNwCiELzBVxL5qHjmMkPGTjHmboLrMU+lw
+HVMTurTDzUjDZJWajOLqWqtU5nT/HBlztl9OIz8JZQ1T8Q45jRsxYrPCGRCEY3KT
+DrwVpgSb58P1a+8HzmOf8bDUtQGjgb4wgbswEgYDVR0TAQH/BAgwBgEB/wIBADAd
+BgNVHQ4EFgQUoJZB8ZjsjFVhwYzDt0XyIG8eeYYwHwYDVR0jBBgwFoAUzj1SwIlP
+V2Leax2jx0yt51YTWOUwDgYDVR0PAQH/BAQDAgEGMDQGA1UdHwEB/wQqMCgwJqAk
+oCKGIGh0dHBzOi8vY2EuYmtzcC5pbi9tMS9yZXZva2UuY3JsMB8GA1UdHgQYMBag
+FDASghAudGVzdC5jYS5ia3NwLmluMAoGCCqGSM49BAMCA2gAMGUCMQDvz1GhzUIk
+vx+h4VG2aI5u7OJfW7hPWFuFPJQdP88ClcDNnTkepHWwj7U+RQyinyQCMBGh2zar
+0RaE7HvN0ki/ZYv7SAg5/CRfAPYtFTAjnkM2DHSAcMPzHC0RnEVAQo4fMA==
+-----END CERTIFICATE-----

m1/bksp-m1.txt

@@ -0,0 +1,61 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3969684850617391784 (0x37172756df4c9aa8)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C=RU, O=B4CKSP4CE, CN=B4CKSP4CE Root CA
+        Validity
+            Not Before: Oct 22 00:00:00 2024 GMT
+            Not After : Oct 21 23:59:59 2039 GMT
+        Subject: C=RU, O=B4CKSP4CE, CN=B4CKSP4CE M1
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:2d:59:d6:4d:c0:28:84:2f:30:55:c4:be:6a:1e:
+                    39:8c:90:f1:93:8c:79:9b:a0:ba:cc:53:e9:70:1d:
+                    53:13:ba:b4:c3:cd:48:c3:64:95:9a:8c:e2:ea:5a:
+                    ab:54:e6:74:ff:1c:19:73:b6:5f:4e:23:3f:09:65:
+                    0d:53:f1:0e:39:8d:1b:31:62:b3:c2:19:10:84:63:
+                    72:93:0e:bc:15:a6:04:9b:e7:c3:f5:6b:ef:07:ce:
+                    63:9f:f1:b0:d4:b5:01
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Subject Key Identifier: 
+                A0:96:41:F1:98:EC:8C:55:61:C1:8C:C3:B7:45:F2:20:6F:1E:79:86
+            X509v3 Authority Key Identifier: 
+                CE:3D:52:C0:89:4F:57:62:DE:6B:1D:A3:C7:4C:AD:E7:56:13:58:E5
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 CRL Distribution Points: critical
+                Full Name:
+                  URI:https://ca.bksp.in/m1/revoke.crl
+            X509v3 Name Constraints: 
+                Permitted:
+                  DNS:.test.ca.bksp.in
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:65:02:31:00:ef:cf:51:a1:cd:42:24:bf:1f:a1:e1:51:b6:
+        68:8e:6e:ec:e2:5f:5b:b8:4f:58:5b:85:3c:94:1d:3f:cf:02:
+        95:c0:cd:9d:39:1e:a4:75:b0:8f:b5:3e:45:0c:a2:9f:24:02:
+        30:11:a1:db:36:ab:d1:16:84:ec:7b:cd:d2:48:bf:65:8b:fb:
+        48:08:39:fc:24:5f:00:f6:2d:15:30:23:9e:43:36:0c:74:80:
+        70:c3:f3:1c:2d:11:9c:45:40:42:8e:1f:30
+-----BEGIN CERTIFICATE-----
+MIICZzCCAe2gAwIBAgIINxcnVt9MmqgwCgYIKoZIzj0EAwIwPTELMAkGA1UEBhMC
+UlUxEjAQBgNVBAoTCUI0Q0tTUDRDRTEaMBgGA1UEAxMRQjRDS1NQNENFIFJvb3Qg
+Q0EwHhcNMjQxMDIyMDAwMDAwWhcNMzkxMDIxMjM1OTU5WjA4MQswCQYDVQQGEwJS
+VTESMBAGA1UEChMJQjRDS1NQNENFMRUwEwYDVQQDEwxCNENLU1A0Q0UgTTEwdjAQ
+BgcqhkjOPQIBBgUrgQQAIgNiAAQtWdZNwCiELzBVxL5qHjmMkPGTjHmboLrMU+lw
+HVMTurTDzUjDZJWajOLqWqtU5nT/HBlztl9OIz8JZQ1T8Q45jRsxYrPCGRCEY3KT
+DrwVpgSb58P1a+8HzmOf8bDUtQGjgb4wgbswEgYDVR0TAQH/BAgwBgEB/wIBADAd
+BgNVHQ4EFgQUoJZB8ZjsjFVhwYzDt0XyIG8eeYYwHwYDVR0jBBgwFoAUzj1SwIlP
+V2Leax2jx0yt51YTWOUwDgYDVR0PAQH/BAQDAgEGMDQGA1UdHwEB/wQqMCgwJqAk
+oCKGIGh0dHBzOi8vY2EuYmtzcC5pbi9tMS9yZXZva2UuY3JsMB8GA1UdHgQYMBag
+FDASghAudGVzdC5jYS5ia3NwLmluMAoGCCqGSM49BAMCA2gAMGUCMQDvz1GhzUIk
+vx+h4VG2aI5u7OJfW7hPWFuFPJQdP88ClcDNnTkepHWwj7U+RQyinyQCMBGh2zar
+0RaE7HvN0ki/ZYv7SAg5/CRfAPYtFTAjnkM2DHSAcMPzHC0RnEVAQo4fMA==
+-----END CERTIFICATE-----

m1/revoke.crl

@@ -0,0 +1,8 @@
+-----BEGIN X509 CRL-----
+MIIBETCBmAIBATAKBggqhkjOPQQDAjA4MQswCQYDVQQGEwJSVTESMBAGA1UEChMJ
+QjRDS1NQNENFMRUwEwYDVQQDEwxCNENLU1A0Q0UgTTEXDTI0MTAyMjIxMzUwMFoX
+DTI1MTAyMjIxMzUwMFqgLzAtMB8GA1UdIwQYMBaAFKCWQfGY7IxVYcGMw7dF8iBv
+HnmGMAoGA1UdFAQDAgEBMAoGCCqGSM49BAMCA2gAMGUCMFoGBV1JU/NyWHDckKxT
+7YrpqPR92tuKPNCi2xFWYYnOr4MdND4fR13C0Jw5Srp9egIxANjCzEKhZT9itxCp
+33kCUig8NojlCvqhmzqklNkGs0B7eKPxj0ryBGiLLdV4o7kTIA==
+-----END X509 CRL-----