Skip to content

Validate root CA certificates on startup#7867

Draft
vlasebian wants to merge 3 commits intov3.36from
feat/check-root-ca-config-on-start
Draft

Validate root CA certificates on startup#7867
vlasebian wants to merge 3 commits intov3.36from
feat/check-root-ca-config-on-start

Conversation

@vlasebian
Copy link
Contributor

@vlasebian vlasebian commented Mar 26, 2026
edited
Loading

Summary

Validate that certificates configured as root CAs are actually CA certificates at startup, preventing misconfiguration where a server leaf certificate is accidentally set as a root CA.

Changes

  • Add parseAndValidateCACerts function that validates PEM-encoded root CA certificates have the IsCA flag set.
  • Reject non-CA (leaf) certificates, invalid PEM data, and non-CERTIFICATE PEM blocks with clear error messages.
  • Use project error definitions (errors.DefineInvalidArgument) for consistent error handling.
  • Handle trailing whitespace in PEM files gracefully.

Testing

Steps

Run the unit tests:

go test ./pkg/config/tlsconfig/... -v -run TestApplyTLSClientConfig
Results

Unit tests pass.

Regressions
  • Client.ApplyTo now validates certificates before adding them to the root CA pool. Previously, any PEM certificate (including leaf certs) was silently accepted. Existing valid configurations are unaffected.

Notes for Reviewers

...

Checklist

  • Scope: The referenced issue is addressed, there are no unrelated changes.
  • Compatibility: The changes are backwards compatible with existing API, storage, configuration and CLI, according to the compatibility commitments in README.md for the chosen target branch.
  • Documentation: Relevant documentation is added or updated.
  • Testing: The steps/process to test this feature are clearly explained including testing for regressions.
  • Infrastructure: If infrastructural changes (e.g., new RPC, configuration) are needed, a separate issue is created in the infrastructural repositories.
  • Changelog: Significant features, behavior changes, deprecations and fixes are added to CHANGELOG.md.
  • Commits: Commit messages follow guidelines in CONTRIBUTING.md, there are no fixup commits left.

@vlasebian @claude
all: Validate root CA certificates are CA certs
478d282 
Reject non-CA (leaf) certificates configured as root CAs to prevent
misconfiguration where a server leaf certificate is set as a root CA.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@vlasebian vlasebian self-assigned this Mar 26, 2026
@github-actions github-actions bot added the compat/config This could affect Configuration compatibility label Mar 26, 2026
vlasebian and others added 2 commits March 26, 2026 15:01
@vlasebian @claude
dev: Update changelog for root CA validation
7f1e6df 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@vlasebian
dev: Update error messages
afdc948
@github-actions github-actions bot added the ui/web This is related to a web interface label Mar 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@vlasebian vlasebian

Labels

compat/config This could affect Configuration compatibility ui/web This is related to a web interface

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vlasebian