regenerate minica certs

[jvanasco]

This PR replaces the Pebble Certs, and addresses #493.

The current minica version supports AKID, however the root cert had to be regenerated to support the extension on the leaf cert.

Additionally, I generated these using a fork of minica (now PR jsha/minica#77), which removes the ClientAuth EKU in preparation for the Chrome root program change that is driving ISRG and others CAs to drop EKU.

--

Note 1 - The key type changes from RSA to EC.

Note 2- The openssl output:

OLD root

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7802445432800151260 (0x6c47dac8316c06dc)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = minica root ca 24e2db
        Validity
            Not Before: Dec  6 19:42:10 2017 GMT
            Not After : Dec  6 19:42:10 2107 GMT
        Subject: CN = localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9b:14:c5:b7:0d:75:dd:12:bb:d0:7f:69:42:67:
                    4a:b3:d0:31:84:59:a7:43:a0:5d:0e:da:77:8c:e6:
                    65:5a:55:0e:d0:19:6d:31:73:94:30:be:7d:d3:97:
                    ad:82:d0:9b:70:2e:91:74:a4:6d:81:20:22:0d:f8:
                    31:dd:55:a2:14:c2:47:fb:ee:20:52:d9:da:07:d4:
                    8d:f0:68:4d:48:f0:69:15:f4:9a:d8:98:56:3e:8f:
                    47:40:d5:2c:01:9a:a5:19:35:78:4b:37:06:46:ab:
                    56:bd:d6:71:52:23:9f:43:64:dc:bf:25:c8:aa:c6:
                    83:d7:d8:af:be:a2:35:36:14:fa:6e:5d:ed:ad:e7:
                    53:66:5c:cb:2c:ce:96:be:4c:3a:85:fc:87:ac:90:
                    0f:40:ff:0b:3a:50:88:78:33:38:60:87:1e:e8:6b:
                    2d:bf:aa:a8:f6:20:83:e3:02:62:63:8b:bd:e4:75:
                    4b:ed:12:bc:b7:c2:69:64:06:fb:55:1f:9d:3e:16:
                    c7:12:f5:69:8f:0b:98:77:94:34:e4:e6:76:f3:48:
                    05:ca:b8:5b:ac:a2:db:aa:cb:75:d3:81:8e:41:3e:
                    24:40:c2:46:5b:11:8e:37:24:d7:ea:7a:74:0f:1e:
                    8e:e6:35:3b:76:f6:2f:8d:55:5a:c1:b2:70:1a:e6:
                    8b:eb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Alternative Name: 
                DNS:localhost, DNS:pebble, IP Address:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        60:89:17:7d:ff:07:db:c2:92:d0:ac:8b:1e:d6:db:48:e1:94:
        e2:cb:a3:1c:75:70:89:55:d2:01:30:02:b0:d0:04:0f:44:1a:
        f2:17:6d:4d:0e:80:52:a0:3a:fe:7f:3f:bb:5b:64:d0:ee:2b:
        3c:4f:dc:4e:9b:0c:dc:82:45:5f:d4:b7:ad:93:11:b2:0b:81:
        3f:b0:52:af:52:ea:fd:70:01:ec:93:ff:08:d1:ed:f9:9f:5a:
        28:22:9c:83:5d:70:21:7f:7f:07:d1:7b:a7:22:8c:dd:37:4a:
        80:ea:6a:5c:65:7a:4c:cb:8b:8e:0e:4f:95:85:88:ff:4e:e5:
        54:61:56:fe:64:89:0d:1b:3c:6d:20:85:99:b4:6d:12:a7:38:
        96:9c:25:ae:9c:fe:91:34:e7:5f:a1:bb:24:32:df:2d:66:30:
        ff:15:d5:ab:01:5f:75:e9:e0:70:34:c7:09:cf:0a:c2:d8:06:
        ab:f1:ae:ea:f7:28:07:12:0e:de:36:9c:6b:e3:88:90:c7:f1:
        c5:79:86:ad:c3:5d:b1:eb:94:09:ad:d1:31:9f:10:cb:4d:c3:
        a8:6b:ba:63:a5:d0:c8:ae:01:5b:cc:c8:1b:a1:fd:49:52:a4:
        03:39:cc:db:27:d8:85:6f:2f:da:4b:5c:69:9f:79:fc:e0:47:
        63:de:d9:23

New Root

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4133386978128403956 (0x395cbd8e96919df4)
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: CN = minica root ca 258c56
        Validity
            Not Before: Jun 19 22:34:45 2025 GMT
            Not After : Jul 19 22:34:45 2027 GMT
        Subject: CN = localhost
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:cd:5c:ec:ff:b4:6c:9e:88:fe:97:e7:c3:87:02:
                    97:f7:95:e8:88:47:38:10:19:ab:92:c8:1b:dd:20:
                    4a:3f:03:08:5d:73:b6:65:80:db:76:c9:66:c5:37:
                    10:54:0d:3a:45:80:a6:3c:29:7b:28:ba:40:09:05:
                    19:cd:1e:c7:cd:4a:97:21:ee:df:7e:15:63:9e:dd:
                    b7:ee:7b:10:63:7e:7d:17:4b:c5:f2:66:f5:8a:c0:
                    54:7e:31:ce:d6:e1:f7
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                FF:99:31:3F:5C:00:5D:ED:84:2A:2E:C1:D4:EF:B6:18:F1:7F:6A:DB
            X509v3 Subject Alternative Name: 
                DNS:localhost, DNS:pebble, IP Address:127.0.0.1
    Signature Algorithm: ecdsa-with-SHA384
    Signature Value:
        30:64:02:30:35:8d:ca:17:31:81:be:2e:01:56:d2:94:4d:a8:
        2b:e2:ca:cb:8e:a6:f4:14:40:b5:a5:c1:55:d0:97:7d:5b:e8:
        73:18:33:8a:25:82:fc:e7:39:60:e1:fa:e9:7c:38:92:02:30:
        67:da:20:43:66:a0:fb:77:e8:a3:3d:42:74:9d:50:3c:f1:d9:
        b9:69:d5:5f:5a:16:b1:2f:89:9d:17:df:ed:7c:50:4e:7c:ea:
        49:bd:f8:3a:6e:16:ec:08:e5:ac:45:76

OLD leaf

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2657928050610294462 (0x24e2db7acf2c4ebe)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = minica root ca 24e2db
        Validity
            Not Before: Dec  6 19:42:10 2017 GMT
            Not After : Dec  6 19:42:10 2117 GMT
        Subject: CN = minica root ca 24e2db
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b9:5a:06:4d:a1:52:5a:9d:d8:f8:de:49:0b:c9:
                    4e:74:bf:30:99:6a:5a:33:bd:d4:68:dc:e1:62:2a:
                    80:ed:9a:a2:8f:35:64:4d:3b:68:42:f4:05:0d:c5:
                    30:c9:72:8e:75:61:ce:36:bb:f5:95:dd:f3:db:6e:
                    14:b3:9d:38:8e:39:5b:67:02:39:ba:8a:ae:08:e6:
                    76:58:96:d1:86:65:eb:46:0c:e4:16:af:bf:32:da:
                    05:98:f9:21:b4:ef:c3:2e:38:ed:a1:c8:32:22:2a:
                    d5:5c:df:18:97:60:0f:bc:1e:5b:ae:f4:5f:0a:6e:
                    a4:92:d6:1e:79:cb:16:7d:6f:ce:de:29:1f:81:d3:
                    3b:b6:6a:1c:c1:08:81:ca:98:a5:a0:73:a3:75:de:
                    5e:da:0f:1c:58:dc:3e:ae:ab:c8:2d:25:15:34:b6:
                    8b:a6:c8:b6:dd:cc:67:2e:a5:5b:e3:6e:30:cf:d7:
                    59:e5:d3:b4:44:48:35:81:2c:6d:7f:83:79:2d:26:
                    fa:88:6b:80:56:81:4d:87:32:1e:2b:34:3e:b2:f0:
                    e0:f7:1f:2d:c7:f0:c6:3a:08:49:4b:f8:c3:82:6c:
                    52:63:5a:a8:6d:3b:17:85:c9:96:55:f6:ad:e4:62:
                    79:3d:08:0b:90:24:a3:04:1a:e3:78:19:4e:ad:ce:
                    15:b5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        17:ce:6f:77:8d:07:2b:5a:2e:0c:0b:56:78:ed:4f:6e:75:9f:
        18:49:82:e5:76:b8:ef:cb:3d:75:d3:9d:f4:29:6f:a7:63:1c:
        63:33:65:00:57:cc:ee:47:5c:8f:ac:5e:88:d8:45:58:f2:1f:
        68:60:22:fd:07:54:45:22:ff:e8:2d:4a:b1:50:ea:94:50:65:
        4e:cf:73:61:f8:76:83:45:17:1a:f2:6d:8f:59:9a:7a:28:7b:
        cf:11:4b:bd:eb:7e:7e:a9:65:c6:c7:8c:e0:ff:44:54:96:90:
        c7:0b:8a:fc:5e:fc:60:1b:74:b4:23:5f:8a:f0:ba:24:d6:4c:
        83:12:85:e7:d8:74:14:1a:47:ef:4c:ad:51:21:d7:77:3e:c5:
        2b:08:b1:31:f9:f7:a8:46:fd:05:74:a4:d1:0d:e9:ac:d5:79:
        b0:e5:77:be:08:c4:b4:1e:13:1d:f0:f1:4b:3f:73:df:e0:de:
        a5:59:d6:de:f6:db:ab:01:1b:91:77:64:de:3f:36:da:6b:95:
        95:d8:0e:52:04:f0:2b:c7:93:f9:77:68:7d:57:67:b7:35:3f:
        93:3c:a0:48:0b:40:43:02:c9:7e:7e:75:7d:2d:46:bc:47:18:
        18:17:35:6c:3a:f2:22:a9:85:a7:d0:48:ee:05:4a:b5:64:99:
        61:e8:22:70

NEW leaf

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2705632647146360711 (0x258c568eb9dbcf87)
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: CN = minica root ca 258c56
        Validity
            Not Before: Jun 19 22:34:45 2025 GMT
            Not After : Jun 19 22:34:45 2125 GMT
        Subject: CN = minica root ca 258c56
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:af:ad:47:c9:6a:b5:d2:e8:56:9c:bd:2c:76:99:
                    8b:bf:5c:43:87:b2:c8:a2:5e:b7:c9:b3:a3:dd:a8:
                    93:1d:ef:dd:8f:d5:74:b6:d8:72:dd:4c:38:35:4e:
                    98:fc:19:57:93:c8:fb:44:ae:08:ac:98:1f:3f:7a:
                    5e:0b:4f:5e:72:06:ca:d6:33:b5:f6:98:cd:d4:ba:
                    4c:b7:de:8c:6f:6b:14:b7:8d:d4:c3:6c:38:77:c7:
                    42:db:1d:1f:a5:58:63
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Key Identifier: 
                FF:99:31:3F:5C:00:5D:ED:84:2A:2E:C1:D4:EF:B6:18:F1:7F:6A:DB
            X509v3 Authority Key Identifier: 
                FF:99:31:3F:5C:00:5D:ED:84:2A:2E:C1:D4:EF:B6:18:F1:7F:6A:DB
    Signature Algorithm: ecdsa-with-SHA384
    Signature Value:
        30:66:02:31:00:bc:aa:f3:0c:d1:54:7d:b4:99:e6:78:65:0e:
        f3:35:09:ed:54:61:70:3a:1a:09:8d:bc:40:7e:bb:de:37:25:
        e5:29:c9:fa:76:48:54:fe:77:e7:ce:29:2b:10:47:cd:a5:02:
        31:00:aa:2e:c3:3f:97:7e:2d:e2:bd:dd:3a:46:da:ec:55:2b:
        84:7c:f6:4a:f0:39:1d:2c:21:b2:1f:dc:93:ca:a0:3d:10:aa:
        e3:de:2e:31:d3:65:a1:d5:7b:ad:d4:d0:b8:cb

[aarongable]

I'd prefer not to accept this PR. By virtue of filing this PR, we now have to block the keys you've generated as compromised. Pebble should not have such keys checked in at all; the tests should instead dynamically generate these keys and certs.

[jvanasco]

By virtue of filing this PR, we now have to block the keys you've generated as compromised

Yes. I understand that and recognized it in #493 two months ago. Myself and multiple projects have had failing tests and moved to implementing workarounds for this for several months, as the default pebble installation and instructions are broken against Python. I get spammed by GitHub on a regular basis for having been the first person to detect the certs are no longer compatible with python3.13 or urllib3 > 2.3.0.

Your preferred solution would require not just changing pebble's tests, but also major changes to the documentation and new tooling to generate certificates on installation. I do not see that happening.

I too would have preferred the ideal solution, but nobody has offered time or interest to implement that larger effort in the past 2 months.

Edit: Before filing this, I did try to bridge support into minica to recycle the existing keys but I did not have enough time to improve my go knowledge; I also tried to handcraft a cert identical to the minica output using the existing keys with openssl and python, but ran into issues with AKIDs. The comment from ISRG staff 2 months ago when first raising this did not indicate the project should be redesigned instead (which would require work on both this project and any test pipelines leveraging it).

I was fully aware of the onus this puts on the ISRG team and explored multiple alternatives before filing.