What is Turnpike?

See:

• https://github.com/RedHatInsights/turnpike/blob/master/docs/_index.md
• https://consoledot.pages.redhat.com/docs/dev/getting-started/gateway/index.html#_turnpike

Certificate Creation

In order to use turnpike with certificate authentication we must first create a cert. Most of this is documented, but here are the specific steps we need to follow:

1. Connect to the Red Hat VPN.
2. docker pull images.paas.redhat.com/it-iam/rhcs-firefox-workaround:latest
3. mkdir /tmp/rhcs-request && cd "$_"
4. Run the image with an interactive shell:

   docker run --net=host --add-host=ca.corp.redhat.com:10.4.203.53 \
   -v /tmp/rhcs-request:/output:Z \
   -it images.paas.redhat.com/it-iam/rhcs-firefox-workaround:latest \
   /bin/bash
   

5. cd /files/
6. ./wrapper_script_msg cloudigrade-turnpike Stage 'Your Name' [email protected] 0001234567
   • The parameters for that command, in this specific order, are:
     • certificate name
     • environment name (Stage or Prod for a Turnpike cert); this will also be the cert's Locality
     • requestor name (your first and last name)
     • requestor email (your personal @redhat.com email or a mailing list address for the team)
       • You must use a valid email address you can check because a link will be sent there.
     • requestor phone number
   • If the output ends with a message like Request Status: pending, skip to step 9.
   • Else if the output includes an error like SocketException cannot write on socket, then continue to step 7.
7. Go to RHCS Server List and find a valid prod CA server address (like ca01.pki.prod.int.rdu2.redhat.com:8443).
8. Substitute the host and port you found from the server list...

   HOSTNAME_AND_PORT="ca01.pki.prod.int.rdu2.redhat.com:8443"
   pki -v -U "https://${HOSTNAME_AND_PORT}/ca" cert-request-submit caUserCert-msg-copy.xml
   

   • If the pki command times out or reports an error, go back to step 7 and try another CA server.
9. cp *.key /output/
10. Your new key is now in your host's /tmp/rhcs-request directory.
11. In a couple of hours, you'll receive an email from [email protected] with information about your new cert.
12. Click the URL in that email. It should have the same hostname you used in step 8.
13. Copy the text under "Base 64 encoded certificate" and save to a local file as your new cert file.

App-interface may need to be updated so the x509 subject in turnpike matches that of the cert, but this is unlikely to need changing.

Testing Certificates

Try making a request using the cert to: https://mtls.internal.cloud.stage.redhat.com/RHClientCertTestPage

http \
    --proxy=https:http://squid.corp.redhat.com:3128 \
    --cert=cloudigrade-turnpike-stage.crt --cert-key=cloudigrade-turnpike-stage.key \
    https://mtls.internal.cloud.stage.redhat.com/RHClientCertTestPage

curl -i \
    --proxy http://squid.corp.redhat.com:3128 \
    --cert cloudigrade-turnpike-stage.crt --key cloudigrade-turnpike-stage.key \
    --url https://mtls.internal.cloud.stage.redhat.com/RHClientCertTestPage

The response should be HTML with some very rudimentary diagnostic information.

Search the CoreOS Slack for "RHClientCertTestPage" for more information.

Certificate Revocation

Unfortunately there is no self serve way to revoke a cert, according to IT:

Only agents can revoke a certificate. So please open ticket with IT Support in the future when need to revoke a certificate.