Closed Bug 1304801 Opened 8 years ago Closed 8 years ago

Migrate phonebook dev/stage/prod to a single SAN cert to permit HPKP testing

Categories

(Infrastructure & Operations :: SSL Certificates, task)

Product:
Infrastructure & Operations
Component:
SSL Certificates
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Atoll, Assigned: Atoll)

References

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3454]) 

As part of enabling HPKP for Phonebook, let's migrate it away from the allizom/generic SAN certs to a single Phonebook SAN that covers dev, stage, and prod. This way we can test the *exact* HPKP header we would use in production on our dev/stage instances, on the principle of least-surprise during our eventual deploy to production.

No HPKP is in place currently, so the live certs can be switched over without complications.
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3454]
Blocks: 1304806
dev/stage have been switched over to a phonebook SAN cert. prod has not.
See Also: → 1304806
Blocks: 1304799
HPKP pin for the intermediate used by Digicert for our certificates:

DigiCert SHA2 Secure Server CA: pin-sha256="5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w="
CHG0010828, applied to prod.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Assignee: server-ops-webops → rsoderberg
You need to log in before you can comment on or make changes to this bug.