Skip to content

pki: add CA trust bundles for OTE and prod #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
csnitker-godaddy merged 2 commits into from
Apr 6, 2026
Merged

pki: add CA trust bundles for OTE and prod #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cc826e8
pki: add CA trust bundles for OTE and prod environments
csnitker-godaddy Apr 6, 2026
79cf0b8
style: fix markdown lint errors in pki/README.md
csnitker-godaddy Apr 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
131 changes: 131 additions & 0 deletions pki/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
# ANS PKI Trust Material

This directory contains the public CA certificates for the
Agent Name Service (ANS). SDK consumers and service operators
use these bundles to verify TLS connections and certificate
chains when interacting with ANS endpoints.

## Directory Structure

```text
pki/
├── README.md
├── ote/
│ └── ca-bundle.pem
└── prod/
└── ca-bundle.pem
```

## Certificate Hierarchy

ANS uses a two-level CA hierarchy. Each environment has a
single root CA and per-region sub-CAs that issue leaf
certificates directly.

```text
Root CA (self-signed, per-environment)
CN = gd-domain-parking
O = GoDaddy, OU = Engineering, C = US
├── Sub-CA (us-east-1)
├── Sub-CA (us-west-2)
└── Sub-CA (ap-south-1) ← prod only
```

## Environments

- **`prod/`** — Production CA chain. Includes the root CA
and per-region sub-CAs.
- **`ote/`** — OTE (test) CA chain. Includes per-region
sub-CAs only. Separate CA hierarchy from prod.

Inspect individual certificates for details (subject,
validity, extensions, etc.) using the commands in the
[Verifying Certificates](#verifying-certificates) section.

## Bundle Format

Each `ca-bundle.pem` contains all CA certificates for its
environment as concatenated PEM blocks. Region comments
(e.g. `# us-east-1`) are included between certificates for
human readability. Certificates are ordered by region; the
root CA (when present) appears first.

## Verifying Certificates

Inspect certificates in a bundle:

```bash
# Fingerprint a single cert
openssl x509 -in cert.pem -noout -fingerprint -sha256

# Split a bundle and fingerprint each cert
csplit -z ca-bundle.pem '/-----BEGIN CERTIFICATE-----/' '{*}'
for f in xx*; do
openssl x509 -in "$f" -noout -subject -fingerprint -sha256
done
rm xx*
```

## Usage

### Go

```go
pool := x509.NewCertPool()
bundle, _ := os.ReadFile("pki/prod/ca-bundle.pem")
pool.AppendCertsFromPEM(bundle)

tlsConfig := &tls.Config{RootCAs: pool}
```

### Rust

```rust
let bundle = std::fs::read("pki/prod/ca-bundle.pem")?;
let certs = rustls_pemfile::certs(&mut &bundle[..])
.collect::<Result<Vec<_>, _>>()?;

let mut root_store = RootCertStore::empty();
for cert in certs {
root_store.add(cert)?;
}
```

### OpenSSL CLI

```bash
# Verify a leaf certificate against the bundle
openssl verify -CAfile pki/prod/ca-bundle.pem leaf.pem

# Inspect a certificate in the bundle
openssl x509 -in pki/prod/ca-bundle.pem -noout -text
```

## Rotation Policy

- Root CAs have a **10-year** validity window (prod) to
minimize rotation overhead.
- Sub-CAs have **5-year** (prod) or **2-year** (OTE)
validity windows.
- New certificates will be committed to this repo **before
expiry** of the outgoing cert, with both old and new
present in the bundle during the transition period.
- Retired certificates will be moved to a `retired/`
subdirectory with a commit message noting the reason
and date.
- Git history is the version record. Do not create versioned
subdirectories.

## Important Notes

- **Do not pin individual certificate serial numbers.**
Regional sub-CAs may be reissued independently. Pin the
root CA fingerprint or load the full bundle.
- **OTE and prod are separate trust domains.** Never load
`ote/` bundles in production configurations. The
environments use completely independent CA hierarchies.
- **Verify bundle integrity after download.** Use the
fingerprint commands in the
[Verifying Certificates](#verifying-certificates) section
to confirm certificates match expected values.
46 changes: 46 additions & 0 deletions pki/ote/ca-bundle.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# us-east-1
-----BEGIN CERTIFICATE-----
MIIDmTCCAoGgAwIBAgIQILhFlUrXwppjoFkNR+k1uDANBgkqhkiG9w0BAQsFADBR
MQswCQYDVQQGEwJVUzEQMA4GA1UECgwHR29EYWRkeTEUMBIGA1UECwwLRW5naW5l
ZXJpbmcxGjAYBgNVBAMMEWdkLWRvbWFpbi1wYXJraW5nMB4XDTI1MTAyMzIyNTE1
OFoXDTI3MTAyMzIzNTE1OFowWDELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB0dvRGFk
ZHkxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSEwHwYDVQQDDBhBZ2VudCBOYW1lIFNl
cnZpY2UgU3RhZ2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwq1LX
nHPnMAKaVAWIb4ZHmZfId1B0J4iHmgJF4Wp9GMy55QxNQRb4hEA7NavM0KOQeL1H
kub32s9F/4UMDACAUrZ0yEAH+mAfDhhLoebAvDDuWv7kDtUAaeCZFcYKsw2v5S6H
+/RC5EAogTDvAe1BMn+20xzLFCT0pybv0nTUxiPQCP7r1waN3+V22l43u9oRqgTt
Z9WtPe0l8wxEnT1Cv2F+LqlXnxkOKfmFA1fJDaBbw0SGu8+DX+qRqLAo3zIY6RYk
wSOwioC0f6sBPlX+aNEW5Lx7ii6lAW/jqVGZmpLTKAGMvWgr/46AjUBt5+uswiYd
92gwZRvaAym8Uyj1AgMBAAGjZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0j
BBgwFoAUJeWbgI+B0jtA4lQ1vm3W2h9XQX8wHQYDVR0OBBYEFKdjaAsN3joDSR3J
NMH2FyibfkIeMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEADzrA
EBmCtJtHRUIzqlcex5N/odstSh+aTjzajg84HRe3FERZeHMpRMwP0jkCDKEg8kF0
0Px4bfztY6ICKye5NinoKiTfQ8gEnuN/UdGUjF0rj95klHYeahLqjWvSagl5bFfT
3x/tKlcCXOKVOZqjNPAlTs/1HxiD34nhZy/nAiRw9zCDYjdsQtOAwppCzdV8t06b
FBHthatRTgmsNEvWBKypvwNRdx/bjUmtWMnro28R0yO9W1NGB6s6GyuJrM6u080Z
VVk2NuCVOfq02SUKjbK8CEtOVt/apCQKOhT8yXbEMzaqOz3M+Lv29/rztgl4ESe/
PWhxLX7bnjbvm0Vq3g==
-----END CERTIFICATE-----
# us-west-2
-----BEGIN CERTIFICATE-----
MIIDmTCCAoGgAwIBAgIQfqwguE1BN7vTpO5FjyloETANBgkqhkiG9w0BAQsFADBR
MQswCQYDVQQGEwJVUzEQMA4GA1UECgwHR29EYWRkeTEUMBIGA1UECwwLRW5naW5l
ZXJpbmcxGjAYBgNVBAMMEWdkLWRvbWFpbi1wYXJraW5nMB4XDTI1MTAyMzIyNDgw
NloXDTI3MTAyMzIzNDgwNVowWDELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB0dvRGFk
ZHkxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSEwHwYDVQQDDBhBZ2VudCBOYW1lIFNl
cnZpY2UgU3RhZ2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCM2Tvx
+0X40tp0Ytmxv0e8zjQxNt0iKtaq/U89vRPJwp9jdTKkhmf00VfwrOs0/W4yiUs4
5movCHCchBRr/Mk40DnR/bJ927hrMFjuX6vDDtUqJNSyBWEyMKtWZ1xGz9mP91hC
Z9UG/f5nxGrUxx4P41iq5MbPFQkCQThb8RK1qeWXj90f4UL+wj0emIIE/EOJ1o0Z
3aWqrQ36bvYsOuFDXFfYumMdaQm9NQksi6eqYLrLis1Qw09ZN7cTM71iTTl2su/b
C1JDj/jKUtcmU9chAMJirTRrwNaC30lU/Qsdph6bW2/SDYaVfAa1Y2bt/Soui/e7
wMQzE8mhCgXklwi3AgMBAAGjZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0j
BBgwFoAUJeWbgI+B0jtA4lQ1vm3W2h9XQX8wHQYDVR0OBBYEFHNwl4zCinyJXm3G
Hi10PPgYk+diMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEARndW
uebdLgi2CPvpLjgHuIAQyyntpXV5DkN89U0/SMPJptqKlNeSOUsuzkt2bWSltklY
oFpSIKVpyo4H9tAfZNmyAIzNblFInOOHvdZm7sSxLyqoDm99PU7VUWxLU+0YZUrK
epmE74P3pr2tbnhzMxqNc8A9TkK2K1NJTd5stW5MwRqUA3b1agLTOwfp0Bz/msO0
EubK1xWZkYYQ4gmds+o1QSaJnf0DB5U50OD/q/VJo9b5KsDPk4eh7+LbLoRBJRIb
z5lXsuUm8h7Xkmr4GOynMwDS+p5wpq3iVqDy4ZtlpLQmBv4DwyF3xniGTfV7ISEI
+O9ggUsQuil2VaP+LA==
-----END CERTIFICATE-----
68 changes: 68 additions & 0 deletions pki/prod/ca-bundle.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
# ap-south-1
-----BEGIN CERTIFICATE-----
MIIDbzCCAlegAwIBAgIRAMGqojYhC9BsrBd/XDXfeMkwDQYJKoZIhvcNAQELBQAw
UTELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB0dvRGFkZHkxFDASBgNVBAsMC0VuZ2lu
ZWVyaW5nMRowGAYDVQQDDBFnZC1kb21haW4tcGFya2luZzAeFw0yNTEwMTUxNzU0
MjlaFw0zNTEwMTUxODU0MjlaMFExCzAJBgNVBAYTAlVTMRAwDgYDVQQKDAdHb0Rh
ZGR5MRQwEgYDVQQLDAtFbmdpbmVlcmluZzEaMBgGA1UEAwwRZ2QtZG9tYWluLXBh
cmtpbmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRBNu8fAf2luhs
xCvviklDt2Nx/Mmr2TrtnCV50B9X+e1vR3W6DMab7+TzoBldpBypmr8BG4mH2L5F
a4bcmpwkuRXdP0N7CoYMJpVQyNM9DBvABbUgkF4y1QEROID2w39djajxgzyfRCTC
Mm88dSL+NlvfCHxsN/pXkJnnErrVWovxpHVWdQglYQ/NBKfhRWBaC0PBR8yd4zkQ
DY6UA10a2vb8InBSI73AafgLCt/iCRCpI7sbOgERBTgU6RDnAauZpjnnoSplzKnz
7JtdD0z8AMZi6RTKsIaRBs293zPlWCnf0eCzAufURtFP2YcEuMlEjnoi1zIsyArh
vb55f2NNAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMkZc+Pg
Kn3Efi1noFxrRX+L9/CRMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOC
AQEAKMVSsBsuQHX1Y0a8vX8uuQzZ5Fjx4OMq6YBvTaxLiro24lGntbyZvs88Kiar
ZINQ/ZltU1an6dJbCd7/2rNV2bUR5CBOzNixQyLmCKcWBzQRoV5AVEfovr4wAUiG
SORzbe9lx9PFM9WllXTiHG0AFHCP+FgOAPUGGtNlFbORa60HWQVXt4pCUNrnWFpF
pHuCk5DZY0V7YWB4yR8uuKtxwJj+lk29BvavBy0f9hQWa7+Ssg1J9KCk4Dtsm2w8
jf1/HsQpXKDV2M4Ab+SK5eZSnEWXOsqzzmEuKXYJasVA9HTW7IsRXTwpiay2o01Z
dLqYgYorJPvg4VtVmlcambgOhw==
-----END CERTIFICATE-----
# us-east-1
-----BEGIN CERTIFICATE-----
MIIDlDCCAnygAwIBAgIRAPbJUP3ge3RALcAa5k4gr3gwDQYJKoZIhvcNAQELBQAw
UTELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB0dvRGFkZHkxFDASBgNVBAsMC0VuZ2lu
ZWVyaW5nMRowGAYDVQQDDBFnZC1kb21haW4tcGFya2luZzAeFw0yNTEwMTUyMTU1
MzdaFw0zMDEwMTUyMjU1MzZaMFIxCzAJBgNVBAYTAlVTMRAwDgYDVQQKDAdHb0Rh
ZGR5MRQwEgYDVQQLDAtFbmdpbmVlcmluZzEbMBkGA1UEAwwSQWdlbnQgTmFtZSBT
ZXJ2aWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwyEkbV7s0Zvn
UviixuNhIPtb7vKgOUknHDnnzhF4OxH7nfX3FL2PRAMniA0+dhZMramv3vVUAJ/Q
a8YB/cujBlrOk+qnXpPN2batf7Ta/MQv2m0sADyuJuH/LUJp1OMyUu8fixtJdsgp
SGkzJBZQhNQ4aL7+dx3k7WZUd2xSLgJmclJJzfylxqfEqeG7iJyUU5MinIxqK07f
sh7gBfa3ovzEztH4ywMtAKuzimXFNSqpDY/MBz8NoTF8jTbfwzJtYx9Vbu38lBca
E0EUxktpYo3cQ5x0IZ3cm6JQhxcYUmoNOf6ygu57L53nRyoy81W28mZL4jX+UkL+
KhEa+aByOQIDAQABo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEAMB8GA1UdIwQYMBaA
FMkZc+PgKn3Efi1noFxrRX+L9/CRMB0GA1UdDgQWBBTfmY0o/EdYa8NIFosw7ND9
H/wshzAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBACc1HokhSI0E
XPmK8+TPOHqISOhDlVQ/bKgHS6HCrFkkR5knJ/VVLfV9bEgYM/fRT9cJQIvOS0MS
KYIcK4zzlQRsHsp51MQNOCWruE9fi5IPFDal9OlE+ql9MwO0Qx6d+Trh+Tz3CUN7
xFKbb7uXIOLEPyA8TuIlcfQwsgPXwL82PJ6G5Sn2H8E1Qoz+qGGc3oEKC9qVDMxl
fFYSiZs8AlHVZc9ksdpCc8Bh6vHQb3lhmi6A7wQyIDU+4lT6GVnGBlwyzHli6gRr
1EuDiedc7Us+FZ3GnBt8fwbWrm4vS1gMZxDh1vQYkVdnzd9qhe/drtv3oa0BgMse
6kRq3rWFyX0=
-----END CERTIFICATE-----
# us-west-2
-----BEGIN CERTIFICATE-----
MIIDlDCCAnygAwIBAgIRAO450Z0iRiXGOI9KNaXfvlYwDQYJKoZIhvcNAQELBQAw
UTELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB0dvRGFkZHkxFDASBgNVBAsMC0VuZ2lu
ZWVyaW5nMRowGAYDVQQDDBFnZC1kb21haW4tcGFya2luZzAeFw0yNTEwMTYxNjIy
NTNaFw0zMDEwMTYxNzIyNTJaMFIxCzAJBgNVBAYTAlVTMRAwDgYDVQQKDAdHb0Rh
ZGR5MRQwEgYDVQQLDAtFbmdpbmVlcmluZzEbMBkGA1UEAwwSQWdlbnQgTmFtZSBT
ZXJ2aWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn/0HbiHoUgvo
61Vl0EUBPKMuKOuOZuVYEHaDSaxIsdmeBwA1tVKvtQxc6UcfOvSpeOqSYvsIJiXF
GLHuSJqVNa+0riVz6YOXfjfT7KhszvROFjD7N95PBkeb+CMC59KIk5+Z/tsYrS3n
YzPcy5GwhG5KoktY5zbtr6Rjs9oC8BQ99DUROhFdts96s57ATKU6AqUDk/qESaNT
Yg8NpNNa8vZQ6N2X9DdIMe4xtOIIeTEtLTGsF5grLhLSQrbCMd+VkxEQ7olvJbh5
p0a6/7q9PoiMI4ZIgSq56ZXYHhYafkqsl5NRIqx1UQmjO2zraVtvXVzYyUw7LIa6
HTSu+RNt1wIDAQABo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEAMB8GA1UdIwQYMBaA
FMkZc+PgKn3Efi1noFxrRX+L9/CRMB0GA1UdDgQWBBR5GnSju2ofXceYeogOocUo
FXrjfjAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAFUju2SY9QwG
HDv/phIqMkil0LWgIlMsJQb1pyISvaroPd4/j6o9ts+FWdbevSehBCyPS1Crf5Iw
4DzD5VQ5q8u4uJoTw1wbikojBW60V8lw8oQQHocsegX87rNoxPuurcSRJSDkMDD5
YE8uWhmb67tAhXoaVOS8HmdU3+9oH2kPKxI7qV5RP/YOIrrnMsG1e2sSW+85eaTe
E1X2HZ2mZFFLSy6dAi/zUdBhe/875kuDvGkYmfRh341u2f6lO/ixmF1EGK3sWg5y
p/KlSd37D9gM2m/cSVHJYVpSuYrdXKaRhfPIOfnW1S4MSQMvT4FQbiIsnzfJ8vBZ
tOneSTftmRU=
-----END CERTIFICATE-----