1894370 - Deploy new production intermediate certs, using corrected add-ons intermediate

Status: RESOLVED DUPLICATE of bug 1894982

(Cloud Services :: Operations: Autograph, task)

Description

[hwine]

Deploy the 202404 intermediate certs to prod, using new signer ids with suffix 202404

Comment 1

[Jeff Hodges]

We made a train-38 branch in hiera for the changes discussed in https://bugzilla.mozilla.org/show_bug.cgi?id=1894118

$ git log master..train-38
aster..train-38
commit 3297c1046b660bfbea39e0ab05d096b9826a0423 (HEAD -> train-38, origin/train-38)
Author: Jeff Hodges <jeff@somethingsimilar.com>
Date: Fri May 3 10:44:00 2024 -0700

Bug 1894118 - CA-Succession: new AMO intermediate

The AMO intermediate certificate was previously
made with the wrong Subject (the CN and
emailAddress config were incorrect) and had the
wrong private key (it used the AWS CloudHSM stored
201901amointerrsa key instead the private key
embedded in the relevant xpi signing
configurations in the production autograph config).

This patch updates the correctly signed AMO
intermediate in the `202402` XPI singer
configurations and changes their keyid (signer id)
to `202404`. This is a safe change because no
clients are using the 202402 keyids.

Along the way, we found a few authorizations that
likely should have had the 202402 XPI signer ids
in them.

releng_firefox_release_at_mozilla_rel_pgp_2023
referenced `systemaddon_rsa_rel` twice and the
second one was likely to be
`systemaddon_rsa_rel_202402`. We update the second
entry to `systemaddon_rsa_rel_202404`

And these authorizations were likely supposed to
have the 202404 signers:

releng_systemaddon_2023_01
releng_langpack_rel_2023_01
releng_systemaddon_rel_2023_01

Comment 2

[Jeff Hodges]

Oops, this was duplicated by https://bugzilla.mozilla.org/show_bug.cgi?id=1894982