Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-1502

Insert new community update center root CA

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      The current UC root CA will expire in 2021. Since this key certificate is baked into jenkins.war, it needs a plenty of time to rotate. I think two years window would be sufficient, but since I looked, we might as well start now.

      This would be an opportunity to upgrade the key used to sign it. Currently, the key strength is RSA/2048.

      Beware of the export control restriction in JVM. I don't know if it's still in place, but if it is it places a limit to the key length we can use.

        Attachments

          Issue Links

            Activity

            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            Based on https://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-6.html it appears that the RSA key length restriction of 2048 bits were lifted a of Java 7.

            Show
            kohsuke Kohsuke Kawaguchi added a comment - Based on https://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-6.html  it appears that the RSA key length restriction of 2048 bits were lifted a of Java 7.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            war/src/main/webapp/WEB-INF/update-center-rootCAs/hudson-community
            war/src/main/webapp/WEB-INF/update-center-rootCAs/hudson-community.txt
            war/src/main/webapp/WEB-INF/update-center-rootCAs/jenkins-update-center-root-ca-2
            war/src/main/webapp/WEB-INF/update-center-rootCAs/jenkins-update-center-root-ca-2.txt
            http://jenkins-ci.org/commit/jenkins/bcab1f086f8a307f934499c32da346ad88a64adb
            Log:
            INFRA-1502 bake the new UC root CA.

            The current UC root CA will expire in 2021. Since this key certificate
            is baked into jenkins.war, it needs a plenty of time to rotate. I think
            two years window would be sufficient, but since I looked, we might as
            well start now.

            The new key is also now 4096 bits, upgraded from previous 2048 bits.

            I've also used the opportunity to remove old hudson-community root CA,
            which was used during the transition period from me leaving Sun and the
            birth of Jenkins. It's been long since we stopped using this cert, so no
            need to honor it anymore.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: war/src/main/webapp/WEB-INF/update-center-rootCAs/hudson-community war/src/main/webapp/WEB-INF/update-center-rootCAs/hudson-community.txt war/src/main/webapp/WEB-INF/update-center-rootCAs/jenkins-update-center-root-ca-2 war/src/main/webapp/WEB-INF/update-center-rootCAs/jenkins-update-center-root-ca-2.txt http://jenkins-ci.org/commit/jenkins/bcab1f086f8a307f934499c32da346ad88a64adb Log: INFRA-1502 bake the new UC root CA. The current UC root CA will expire in 2021. Since this key certificate is baked into jenkins.war, it needs a plenty of time to rotate. I think two years window would be sufficient, but since I looked, we might as well start now. The new key is also now 4096 bits, upgraded from previous 2048 bits. I've also used the opportunity to remove old hudson-community root CA, which was used during the transition period from me leaving Sun and the birth of Jenkins. It's been long since we stopped using this cert, so no need to honor it anymore.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            war/src/main/webapp/WEB-INF/update-center-rootCAs/hudson-community
            war/src/main/webapp/WEB-INF/update-center-rootCAs/hudson-community.txt
            war/src/main/webapp/WEB-INF/update-center-rootCAs/jenkins-update-center-root-ca-2
            war/src/main/webapp/WEB-INF/update-center-rootCAs/jenkins-update-center-root-ca-2.txt
            http://jenkins-ci.org/commit/jenkins/c86a448efa90139015e931dcbd844bc44105dfbf
            Log:
            Merge pull request #3384 from kohsuke/master

            INFRA-1502 bake the new UC root CA.

            Compare: https://github.com/jenkinsci/jenkins/compare/1bd19d6e3770...c86a448efa90

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: war/src/main/webapp/WEB-INF/update-center-rootCAs/hudson-community war/src/main/webapp/WEB-INF/update-center-rootCAs/hudson-community.txt war/src/main/webapp/WEB-INF/update-center-rootCAs/jenkins-update-center-root-ca-2 war/src/main/webapp/WEB-INF/update-center-rootCAs/jenkins-update-center-root-ca-2.txt http://jenkins-ci.org/commit/jenkins/c86a448efa90139015e931dcbd844bc44105dfbf Log: Merge pull request #3384 from kohsuke/master INFRA-1502 bake the new UC root CA. Compare: https://github.com/jenkinsci/jenkins/compare/1bd19d6e3770...c86a448efa90
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            war/src/main/webapp/WEB-INF/update-center-rootCAs/hudson-community
            war/src/main/webapp/WEB-INF/update-center-rootCAs/hudson-community.txt
            war/src/main/webapp/WEB-INF/update-center-rootCAs/jenkins-update-center-root-ca-2
            war/src/main/webapp/WEB-INF/update-center-rootCAs/jenkins-update-center-root-ca-2.txt
            http://jenkins-ci.org/commit/jenkins/2d3cbeca9b8d2146bb36292798f528e9dd7e5a2f
            Log:
            INFRA-1502 bake the new UC root CA.

            The current UC root CA will expire in 2021. Since this key certificate
            is baked into jenkins.war, it needs a plenty of time to rotate. I think
            two years window would be sufficient, but since I looked, we might as
            well start now.

            The new key is also now 4096 bits, upgraded from previous 2048 bits.

            I've also used the opportunity to remove old hudson-community root CA,
            which was used during the transition period from me leaving Sun and the
            birth of Jenkins. It's been long since we stopped using this cert, so no
            need to honor it anymore.

            (cherry picked from commit bcab1f086f8a307f934499c32da346ad88a64adb)

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: war/src/main/webapp/WEB-INF/update-center-rootCAs/hudson-community war/src/main/webapp/WEB-INF/update-center-rootCAs/hudson-community.txt war/src/main/webapp/WEB-INF/update-center-rootCAs/jenkins-update-center-root-ca-2 war/src/main/webapp/WEB-INF/update-center-rootCAs/jenkins-update-center-root-ca-2.txt http://jenkins-ci.org/commit/jenkins/2d3cbeca9b8d2146bb36292798f528e9dd7e5a2f Log: INFRA-1502 bake the new UC root CA. The current UC root CA will expire in 2021. Since this key certificate is baked into jenkins.war, it needs a plenty of time to rotate. I think two years window would be sufficient, but since I looked, we might as well start now. The new key is also now 4096 bits, upgraded from previous 2048 bits. I've also used the opportunity to remove old hudson-community root CA, which was used during the transition period from me leaving Sun and the birth of Jenkins. It's been long since we stopped using this cert, so no need to honor it anymore. (cherry picked from commit bcab1f086f8a307f934499c32da346ad88a64adb)

              People

              • Assignee:
                kohsuke Kohsuke Kawaguchi
                Reporter:
                kohsuke Kohsuke Kawaguchi
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: