pki: add CA trust bundles for OTE and prod (#19)

csnitker-godaddy · claude · web-flow · commit 4970f5e389f3 · 2026-04-06T21:29:55.000Z
* pki: add CA trust bundles for OTE and prod environments

Public CA certificates for SDK consumers and service operators to verify
TLS connections to ANS endpoints. Two-level hierarchy: root CA with
per-region sub-CAs for us-east-1, us-west-2, and ap-south-1 (prod only).

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* style: fix markdown lint errors in pki/README.md

Wrap long lines to 80 chars, add language tags to fenced code blocks,
and add trailing newline.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/pki/README.md b/pki/README.md
@@ -0,0 +1,131 @@
+# ANS PKI Trust Material
+
+This directory contains the public CA certificates for the
+Agent Name Service (ANS). SDK consumers and service operators
+use these bundles to verify TLS connections and certificate
+chains when interacting with ANS endpoints.
+
+## Directory Structure
+
+```text
+pki/
+├── README.md
+├── ote/
+│   └── ca-bundle.pem
+└── prod/
+    └── ca-bundle.pem
+```
+
+## Certificate Hierarchy
+
+ANS uses a two-level CA hierarchy. Each environment has a
+single root CA and per-region sub-CAs that issue leaf
+certificates directly.
+
+```text
+Root CA (self-signed, per-environment)
+  CN = gd-domain-parking
+  O  = GoDaddy, OU = Engineering, C = US
+  │
+  ├── Sub-CA (us-east-1)
+  ├── Sub-CA (us-west-2)
+  └── Sub-CA (ap-south-1)   ← prod only
+```
+
+## Environments
+
+- **`prod/`** — Production CA chain. Includes the root CA
+  and per-region sub-CAs.
+- **`ote/`** — OTE (test) CA chain. Includes per-region
+  sub-CAs only. Separate CA hierarchy from prod.
+
+Inspect individual certificates for details (subject,
+validity, extensions, etc.) using the commands in the
+[Verifying Certificates](#verifying-certificates) section.
+
+## Bundle Format
+
+Each `ca-bundle.pem` contains all CA certificates for its
+environment as concatenated PEM blocks. Region comments
+(e.g. `# us-east-1`) are included between certificates for
+human readability. Certificates are ordered by region; the
+root CA (when present) appears first.
+
+## Verifying Certificates
+
+Inspect certificates in a bundle:
+
+```bash
+# Fingerprint a single cert
+openssl x509 -in cert.pem -noout -fingerprint -sha256
+
+# Split a bundle and fingerprint each cert
+csplit -z ca-bundle.pem '/-----BEGIN CERTIFICATE-----/' '{*}'
+for f in xx*; do
+  openssl x509 -in "$f" -noout -subject -fingerprint -sha256
+done
+rm xx*
+```
+
+## Usage
+
+### Go
+
+```go
+pool := x509.NewCertPool()
+bundle, _ := os.ReadFile("pki/prod/ca-bundle.pem")
+pool.AppendCertsFromPEM(bundle)
+
+tlsConfig := &tls.Config{RootCAs: pool}
+```
+
+### Rust
+
+```rust
+let bundle = std::fs::read("pki/prod/ca-bundle.pem")?;
+let certs = rustls_pemfile::certs(&mut &bundle[..])
+    .collect::<Result<Vec<_>, _>>()?;
+
+let mut root_store = RootCertStore::empty();
+for cert in certs {
+    root_store.add(cert)?;
+}
+```
+
+### OpenSSL CLI
+
+```bash
+# Verify a leaf certificate against the bundle
+openssl verify -CAfile pki/prod/ca-bundle.pem leaf.pem
+
+# Inspect a certificate in the bundle
+openssl x509 -in pki/prod/ca-bundle.pem -noout -text
+```
+
+## Rotation Policy
+
+- Root CAs have a **10-year** validity window (prod) to
+  minimize rotation overhead.
+- Sub-CAs have **5-year** (prod) or **2-year** (OTE)
+  validity windows.
+- New certificates will be committed to this repo **before
+  expiry** of the outgoing cert, with both old and new
+  present in the bundle during the transition period.
+- Retired certificates will be moved to a `retired/`
+  subdirectory with a commit message noting the reason
+  and date.
+- Git history is the version record. Do not create versioned
+  subdirectories.
+
+## Important Notes
+
+- **Do not pin individual certificate serial numbers.**
+  Regional sub-CAs may be reissued independently. Pin the
+  root CA fingerprint or load the full bundle.
+- **OTE and prod are separate trust domains.** Never load
+  `ote/` bundles in production configurations. The
+  environments use completely independent CA hierarchies.
+- **Verify bundle integrity after download.** Use the
+  fingerprint commands in the
+  [Verifying Certificates](#verifying-certificates) section
+  to confirm certificates match expected values.
diff --git a/pki/ote/ca-bundle.pem b/pki/ote/ca-bundle.pem
@@ -0,0 +1,46 @@
+# us-east-1
+-----BEGIN CERTIFICATE-----
+MIIDmTCCAoGgAwIBAgIQILhFlUrXwppjoFkNR+k1uDANBgkqhkiG9w0BAQsFADBR
+MQswCQYDVQQGEwJVUzEQMA4GA1UECgwHR29EYWRkeTEUMBIGA1UECwwLRW5naW5l
+ZXJpbmcxGjAYBgNVBAMMEWdkLWRvbWFpbi1wYXJraW5nMB4XDTI1MTAyMzIyNTE1
+OFoXDTI3MTAyMzIzNTE1OFowWDELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB0dvRGFk
+ZHkxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSEwHwYDVQQDDBhBZ2VudCBOYW1lIFNl
+cnZpY2UgU3RhZ2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwq1LX
+nHPnMAKaVAWIb4ZHmZfId1B0J4iHmgJF4Wp9GMy55QxNQRb4hEA7NavM0KOQeL1H
+kub32s9F/4UMDACAUrZ0yEAH+mAfDhhLoebAvDDuWv7kDtUAaeCZFcYKsw2v5S6H
++/RC5EAogTDvAe1BMn+20xzLFCT0pybv0nTUxiPQCP7r1waN3+V22l43u9oRqgTt
+Z9WtPe0l8wxEnT1Cv2F+LqlXnxkOKfmFA1fJDaBbw0SGu8+DX+qRqLAo3zIY6RYk
+wSOwioC0f6sBPlX+aNEW5Lx7ii6lAW/jqVGZmpLTKAGMvWgr/46AjUBt5+uswiYd
+92gwZRvaAym8Uyj1AgMBAAGjZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0j
+BBgwFoAUJeWbgI+B0jtA4lQ1vm3W2h9XQX8wHQYDVR0OBBYEFKdjaAsN3joDSR3J
+NMH2FyibfkIeMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEADzrA
+EBmCtJtHRUIzqlcex5N/odstSh+aTjzajg84HRe3FERZeHMpRMwP0jkCDKEg8kF0
+0Px4bfztY6ICKye5NinoKiTfQ8gEnuN/UdGUjF0rj95klHYeahLqjWvSagl5bFfT
+3x/tKlcCXOKVOZqjNPAlTs/1HxiD34nhZy/nAiRw9zCDYjdsQtOAwppCzdV8t06b
+FBHthatRTgmsNEvWBKypvwNRdx/bjUmtWMnro28R0yO9W1NGB6s6GyuJrM6u080Z
+VVk2NuCVOfq02SUKjbK8CEtOVt/apCQKOhT8yXbEMzaqOz3M+Lv29/rztgl4ESe/
+PWhxLX7bnjbvm0Vq3g==
+-----END CERTIFICATE-----
+# us-west-2
+-----BEGIN CERTIFICATE-----
+MIIDmTCCAoGgAwIBAgIQfqwguE1BN7vTpO5FjyloETANBgkqhkiG9w0BAQsFADBR
+MQswCQYDVQQGEwJVUzEQMA4GA1UECgwHR29EYWRkeTEUMBIGA1UECwwLRW5naW5l
+ZXJpbmcxGjAYBgNVBAMMEWdkLWRvbWFpbi1wYXJraW5nMB4XDTI1MTAyMzIyNDgw
+NloXDTI3MTAyMzIzNDgwNVowWDELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB0dvRGFk
+ZHkxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSEwHwYDVQQDDBhBZ2VudCBOYW1lIFNl
+cnZpY2UgU3RhZ2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCM2Tvx
++0X40tp0Ytmxv0e8zjQxNt0iKtaq/U89vRPJwp9jdTKkhmf00VfwrOs0/W4yiUs4
+5movCHCchBRr/Mk40DnR/bJ927hrMFjuX6vDDtUqJNSyBWEyMKtWZ1xGz9mP91hC
+Z9UG/f5nxGrUxx4P41iq5MbPFQkCQThb8RK1qeWXj90f4UL+wj0emIIE/EOJ1o0Z
+3aWqrQ36bvYsOuFDXFfYumMdaQm9NQksi6eqYLrLis1Qw09ZN7cTM71iTTl2su/b
+C1JDj/jKUtcmU9chAMJirTRrwNaC30lU/Qsdph6bW2/SDYaVfAa1Y2bt/Soui/e7
+wMQzE8mhCgXklwi3AgMBAAGjZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0j
+BBgwFoAUJeWbgI+B0jtA4lQ1vm3W2h9XQX8wHQYDVR0OBBYEFHNwl4zCinyJXm3G
+Hi10PPgYk+diMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEARndW
+uebdLgi2CPvpLjgHuIAQyyntpXV5DkN89U0/SMPJptqKlNeSOUsuzkt2bWSltklY
+oFpSIKVpyo4H9tAfZNmyAIzNblFInOOHvdZm7sSxLyqoDm99PU7VUWxLU+0YZUrK
+epmE74P3pr2tbnhzMxqNc8A9TkK2K1NJTd5stW5MwRqUA3b1agLTOwfp0Bz/msO0
+EubK1xWZkYYQ4gmds+o1QSaJnf0DB5U50OD/q/VJo9b5KsDPk4eh7+LbLoRBJRIb
+z5lXsuUm8h7Xkmr4GOynMwDS+p5wpq3iVqDy4ZtlpLQmBv4DwyF3xniGTfV7ISEI
++O9ggUsQuil2VaP+LA==
+-----END CERTIFICATE-----
diff --git a/pki/prod/ca-bundle.pem b/pki/prod/ca-bundle.pem
@@ -0,0 +1,68 @@
+# ap-south-1
+-----BEGIN CERTIFICATE-----
+MIIDbzCCAlegAwIBAgIRAMGqojYhC9BsrBd/XDXfeMkwDQYJKoZIhvcNAQELBQAw
+UTELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB0dvRGFkZHkxFDASBgNVBAsMC0VuZ2lu
+ZWVyaW5nMRowGAYDVQQDDBFnZC1kb21haW4tcGFya2luZzAeFw0yNTEwMTUxNzU0
+MjlaFw0zNTEwMTUxODU0MjlaMFExCzAJBgNVBAYTAlVTMRAwDgYDVQQKDAdHb0Rh
+ZGR5MRQwEgYDVQQLDAtFbmdpbmVlcmluZzEaMBgGA1UEAwwRZ2QtZG9tYWluLXBh
+cmtpbmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRBNu8fAf2luhs
+xCvviklDt2Nx/Mmr2TrtnCV50B9X+e1vR3W6DMab7+TzoBldpBypmr8BG4mH2L5F
+a4bcmpwkuRXdP0N7CoYMJpVQyNM9DBvABbUgkF4y1QEROID2w39djajxgzyfRCTC
+Mm88dSL+NlvfCHxsN/pXkJnnErrVWovxpHVWdQglYQ/NBKfhRWBaC0PBR8yd4zkQ
+DY6UA10a2vb8InBSI73AafgLCt/iCRCpI7sbOgERBTgU6RDnAauZpjnnoSplzKnz
+7JtdD0z8AMZi6RTKsIaRBs293zPlWCnf0eCzAufURtFP2YcEuMlEjnoi1zIsyArh
+vb55f2NNAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMkZc+Pg
+Kn3Efi1noFxrRX+L9/CRMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOC
+AQEAKMVSsBsuQHX1Y0a8vX8uuQzZ5Fjx4OMq6YBvTaxLiro24lGntbyZvs88Kiar
+ZINQ/ZltU1an6dJbCd7/2rNV2bUR5CBOzNixQyLmCKcWBzQRoV5AVEfovr4wAUiG
+SORzbe9lx9PFM9WllXTiHG0AFHCP+FgOAPUGGtNlFbORa60HWQVXt4pCUNrnWFpF
+pHuCk5DZY0V7YWB4yR8uuKtxwJj+lk29BvavBy0f9hQWa7+Ssg1J9KCk4Dtsm2w8
+jf1/HsQpXKDV2M4Ab+SK5eZSnEWXOsqzzmEuKXYJasVA9HTW7IsRXTwpiay2o01Z
+dLqYgYorJPvg4VtVmlcambgOhw==
+-----END CERTIFICATE-----
+# us-east-1
+-----BEGIN CERTIFICATE-----
+MIIDlDCCAnygAwIBAgIRAPbJUP3ge3RALcAa5k4gr3gwDQYJKoZIhvcNAQELBQAw
+UTELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB0dvRGFkZHkxFDASBgNVBAsMC0VuZ2lu
+ZWVyaW5nMRowGAYDVQQDDBFnZC1kb21haW4tcGFya2luZzAeFw0yNTEwMTUyMTU1
+MzdaFw0zMDEwMTUyMjU1MzZaMFIxCzAJBgNVBAYTAlVTMRAwDgYDVQQKDAdHb0Rh
+ZGR5MRQwEgYDVQQLDAtFbmdpbmVlcmluZzEbMBkGA1UEAwwSQWdlbnQgTmFtZSBT
+ZXJ2aWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwyEkbV7s0Zvn
+UviixuNhIPtb7vKgOUknHDnnzhF4OxH7nfX3FL2PRAMniA0+dhZMramv3vVUAJ/Q
+a8YB/cujBlrOk+qnXpPN2batf7Ta/MQv2m0sADyuJuH/LUJp1OMyUu8fixtJdsgp
+SGkzJBZQhNQ4aL7+dx3k7WZUd2xSLgJmclJJzfylxqfEqeG7iJyUU5MinIxqK07f
+sh7gBfa3ovzEztH4ywMtAKuzimXFNSqpDY/MBz8NoTF8jTbfwzJtYx9Vbu38lBca
+E0EUxktpYo3cQ5x0IZ3cm6JQhxcYUmoNOf6ygu57L53nRyoy81W28mZL4jX+UkL+
+KhEa+aByOQIDAQABo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEAMB8GA1UdIwQYMBaA
+FMkZc+PgKn3Efi1noFxrRX+L9/CRMB0GA1UdDgQWBBTfmY0o/EdYa8NIFosw7ND9
+H/wshzAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBACc1HokhSI0E
+XPmK8+TPOHqISOhDlVQ/bKgHS6HCrFkkR5knJ/VVLfV9bEgYM/fRT9cJQIvOS0MS
+KYIcK4zzlQRsHsp51MQNOCWruE9fi5IPFDal9OlE+ql9MwO0Qx6d+Trh+Tz3CUN7
+xFKbb7uXIOLEPyA8TuIlcfQwsgPXwL82PJ6G5Sn2H8E1Qoz+qGGc3oEKC9qVDMxl
+fFYSiZs8AlHVZc9ksdpCc8Bh6vHQb3lhmi6A7wQyIDU+4lT6GVnGBlwyzHli6gRr
+1EuDiedc7Us+FZ3GnBt8fwbWrm4vS1gMZxDh1vQYkVdnzd9qhe/drtv3oa0BgMse
+6kRq3rWFyX0=
+-----END CERTIFICATE-----
+# us-west-2
+-----BEGIN CERTIFICATE-----
+MIIDlDCCAnygAwIBAgIRAO450Z0iRiXGOI9KNaXfvlYwDQYJKoZIhvcNAQELBQAw
+UTELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB0dvRGFkZHkxFDASBgNVBAsMC0VuZ2lu
+ZWVyaW5nMRowGAYDVQQDDBFnZC1kb21haW4tcGFya2luZzAeFw0yNTEwMTYxNjIy
+NTNaFw0zMDEwMTYxNzIyNTJaMFIxCzAJBgNVBAYTAlVTMRAwDgYDVQQKDAdHb0Rh
+ZGR5MRQwEgYDVQQLDAtFbmdpbmVlcmluZzEbMBkGA1UEAwwSQWdlbnQgTmFtZSBT
+ZXJ2aWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn/0HbiHoUgvo
+61Vl0EUBPKMuKOuOZuVYEHaDSaxIsdmeBwA1tVKvtQxc6UcfOvSpeOqSYvsIJiXF
+GLHuSJqVNa+0riVz6YOXfjfT7KhszvROFjD7N95PBkeb+CMC59KIk5+Z/tsYrS3n
+YzPcy5GwhG5KoktY5zbtr6Rjs9oC8BQ99DUROhFdts96s57ATKU6AqUDk/qESaNT
+Yg8NpNNa8vZQ6N2X9DdIMe4xtOIIeTEtLTGsF5grLhLSQrbCMd+VkxEQ7olvJbh5
+p0a6/7q9PoiMI4ZIgSq56ZXYHhYafkqsl5NRIqx1UQmjO2zraVtvXVzYyUw7LIa6
+HTSu+RNt1wIDAQABo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEAMB8GA1UdIwQYMBaA
+FMkZc+PgKn3Efi1noFxrRX+L9/CRMB0GA1UdDgQWBBR5GnSju2ofXceYeogOocUo
+FXrjfjAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAFUju2SY9QwG
+HDv/phIqMkil0LWgIlMsJQb1pyISvaroPd4/j6o9ts+FWdbevSehBCyPS1Crf5Iw
+4DzD5VQ5q8u4uJoTw1wbikojBW60V8lw8oQQHocsegX87rNoxPuurcSRJSDkMDD5
+YE8uWhmb67tAhXoaVOS8HmdU3+9oH2kPKxI7qV5RP/YOIrrnMsG1e2sSW+85eaTe
+E1X2HZ2mZFFLSy6dAi/zUdBhe/875kuDvGkYmfRh341u2f6lO/ixmF1EGK3sWg5y
+p/KlSd37D9gM2m/cSVHJYVpSuYrdXKaRhfPIOfnW1S4MSQMvT4FQbiIsnzfJ8vBZ
+tOneSTftmRU=
+-----END CERTIFICATE-----
