Issuance policies

Issuance policies in Enclave are used to define how certificates are issued within a trust chain. They specify the conditions under which certificates can be issued, including the certificate output path, the type of entity (e.g., node, user) to which the certificate applies, and any additional requirements.

Certificate/key output

The certificate output path is the location where the issued certificate and its associated key will be stored. This path is specified when creating an issuance policy and can vary based on the operating system of the node or user.

• For Linux/MacOS, the default path is /etc/enclave/certs/.
• For Windows, the default path is C:\ProgramData\Enclave\certificates\.

The directory path is written with a 0755 permission, meaning it is readable and writable by the owner, and readable by the group and others. The certificate file is written with a 0644 permission, meaning it is readable and writable by the owner, and readable by the group and others. The key file is written with a 0600 permission, meaning it is readable and writable only by the owner. This is to ensure that the private key is kept secure and not accessible by other users on the system.

Certificates are written to the file system in PEM format with the full intermediate chain included. This means that the issued certificate will include the issued certificate and the intermediate signing certificates in the chain, allowing for proper validation of the certificate by clients.

on-issued.d scripts

Hosts can run scripts after a certificate is issued to them. This is done by placing scripts in the /etc/enclave/on-issued.d/ directory on Linux/MacOS or C:\ProgramData\Enclave\on-issued.d\ on Windows. These scripts will be executed after the certificate is issued, allowing for additional configuration or actions to be performed. The directory is created with a 0755 permission, meaning it is readable and writable by the owner, and readable by the group and others. The scripts themselves should need to be executable.

Here is an example of a script that could be placed in the on-issued.d directory to restart a service after a certificate is issued:

#!/bin/bash
systemctl restart my-service

Forcing renewal from the EMC

You can force an agent to renew their certificates from the Enclave Management Console (EMC) by navigating to the node/user view, going to the Certificates > View tab, and clicking the Renew certificate(s) button. This will trigger the agent to request a new certificate from the certificate manager, which will then be issued based on the current issuance policies. This can be helpful if you need to update the certificate immediately (i.e. certificate fields have changed) or you need to test out on-issued scripts without waiting for the certificate to renew in the roll window.