Skip to content

PKI/step-ca Staging Readiness Evidence

  • Status: in_progress
  • Owner: Security + Platform
  • Task: C-OPS-002
  • Last Updated: 2026-02-26

Objective

Track staging readiness evidence for internal PKI using step-ca: - Certificate lifecycle controls (issuance, renewal, revocation, expiry alerting) - Rotation procedure execution evidence - Trust bootstrap and CA-chain verification evidence

Contract/Baseline References

  • PKI design source: doc/architecture/PKI_Spec.md
  • Node enrollment/renewal trust model: doc/architecture/Node_Agent_Spec.md
  • Ops baseline requirement: doc/operations/Production_Platform_Baseline.md
  • East/west ops workstream: doc/operations/evidence/east_west_security_certs.md

Evidence Checklist

  • step-ca lifecycle model documented (roles, TTLs, renewal path) in PKI_Spec.md
  • step-ca migration boundary documented via CAClient abstraction in PKI_Spec.md
  • Cert expiry guard command available: make ops-cert-expiry-check
  • step-ca deployed in staging namespace and reachable only by allowed workloads
  • Node enrollment and renewal flow validated against staging CA
  • Revocation/deny-list validation exercised in staging
  • Alerting for cert-expiry and renewal failure verified in staging
  • Rotation drill executed and evidence captured

Rotation Procedure Evidence Plan

  1. Record pre-rotation certificate inventory (serial, subject, expiry).
  2. Execute intermediate/leaf rotation steps per PKI_Spec.md.
  3. Validate post-rotation:
  4. Node enrollment succeeds.
  5. Node renewal succeeds.
  6. Worker renewal succeeds.
  7. Confirm old certs are rejected where expected (revocation/deny-list check).
  8. Capture timestamps, operator, and command outputs in the execution log.

Trust Bootstrap Evidence Plan

  1. Verify node trust bootstrap follows API-only path (no direct node->step-ca connectivity).
  2. Validate CA fingerprint pinning during initial enrollment.
  3. Verify returned cert chain/CA bundle integrity and storage paths.
  4. Confirm network policy alignment with network_policy_baseline.yaml.

Staging Execution Log

Date (UTC) Environment Scenario Result Evidence Path
pending staging step-ca deploy + policy validation pending pending
pending staging enrollment + renewal verification pending pending
pending staging rotation drill pending pending
pending staging trust bootstrap verification pending pending