From ecd54b530c3abcdac23e6ce492a12125c756b00c Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 19 Dec 2022 08:17:36 -0500 Subject: [PATCH] update message for cert.tf --- .../full-cluster-tf-upgrade/common-services/cert.tf | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/examples/full-cluster-tf-upgrade/common-services/cert.tf b/examples/full-cluster-tf-upgrade/common-services/cert.tf index 1202841..a6e3547 100644 --- a/examples/full-cluster-tf-upgrade/common-services/cert.tf +++ b/examples/full-cluster-tf-upgrade/common-services/cert.tf @@ -38,9 +38,18 @@ Now submit file to TCO for signing and return the result as below: dns = ${local.ca_dns_name} csr = certs/${local.ca_dns_name}.csr -Ask for the certificate to be signed with the Linux (v2) PKI CA with the command: +**IMPORTANT** -% ./sign-subordinate-ca-cert.sh ${local.ca_dns_name}.csr 'c=US,o=U.S. Census Bureau,OU=PKI,ou=EKS,ou=${var.vpc_full_name},ou=${var.cluster_name},cn=${local.ca_dns_name}' 730" +We are no longer issuing certificate from the Linux (v2) PKI, so you must request one from the MS CA. +Ask for the certificate to be signed with the Microsoft (MS CA, v3) PKI CA with the command (Windows, PowerShell): + + certreq -submit -attrib "CertificateTemplate:USCBSubordinateCertificationAuthority" ${local.ca_dns_name}.csr ${local.ca_dns_name}.cer + +It is very important that this certificate be issued as a Subordinate Certification Authority. The default method of a server certificate +will fail and will cause a lot of issues. + +Further, you will NOT enable the download option with the MS CA. If you receive a download link to ca.apps.tco.census.gov, do not attempt +to proceed, and request the correctly-signed certificate as described above. EOM }