feat: Make confclient take into account verificiation certificates f…

…rom shared-params when verifying configuration directory's signature (#1863) * feat: Make confclient take into account verificiation certificates from shared-params when verifying configuration directory's signature Refs: XRDDEV-2519 * chore: Test coverage Refs: XRDDEV-2519 * chore: Increase globalconf refresh buffer Refs: XRDDEV-2519
nordic-institute · Nov 23, 2023 · b589d8f · b589d8f
1 parent 09dc708
commit b589d8f
Show file tree

Hide file tree

Showing 41 changed files with 427 additions and 61 deletions.
diff --git a/src/addons/messagelog/messagelog-addon/src/test/resources/globalconf/CS/shared-params.xml b/src/addons/messagelog/messagelog-addon/src/test/resources/globalconf/CS/shared-params.xml
@@ -3,8 +3,10 @@
     <instanceIdentifier>CS</instanceIdentifier>
     <source>
         <address>cs:1080</address>
-        <verificationCert>MIICqTCCAZGgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAOMQwwCgYDVQQDDANOL0EwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAOMQwwCgYDVQQDDANOL0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCBUNj9zuGBZYgiQ1q4jxePy7Cpe8bbr37+ySnjkQKl8D0G/6vIrPZPqz2RRk1QaKmV1wkFlcCksyu+0QVPnpmjRY6AlkWRRCciT21jCHpCef9kwjT++NwUAV8gJ+soIqasWUCZpJPEDkCVrB+/jO22Wltdzpqmj3yX2N1zRIG6ddqoOIez5W0c2sty7w1sHnC+adFoBIWsZctNHfLlInKEkStTa78XTrK8EnjR8qzpZVYjh0WxOZvN7oqNZDdUgeG3gB29TLpj2o4H/rTbUlgJT0gBS/AHIxMzRPUbMVaeDNGap6Ofje/8Jc1tbOdL5wjYc9pYbU5pwz/oSGMI6taBAgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIGQDANBgkqhkiG9w0BAQ0FAAOCAQEAUVM+woAREwkKFY1uEZVOSHNy1SlzrEJD3gPm/ui+Y93LvGrCSrwVJVUqd3dkb9IsHD6Jev/SXjEF/phGVVy0WHS8EXJpkLGdV/lRl/TnhZvQ6k7q5amUd43bxIHb3Jpn4z3fpWgX07/op3SOWSBSKVOD4mrhIQQkwJQKTSkjFDXrJEijYcyT+rgUUeOWiNSnbi7nGnBgJlIA5ff1ojmb9kBiFUNS3tHYG0heEkX46rs6Al9gqjZtaiDK6XkZwlkqx769LzxRlnlrULzQpW1SwEyEQdVzZP/kqSsqfyMNmeokO1hk+FtFvoRi3XG1uEYJO+M8oPvo99+Gyu45IQrmig==</verificationCert>
-        <verificationCert>MIICqTCCAZGgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAOMQwwCgYDVQQDDANOL0EwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAOMQwwCgYDVQQDDANOL0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnw42v+CwPNmI7j24C0UHsNfhxDKa4rkpgqk4iKnQ5CyzSxveodbduAz+h2lHOHTpInOgtiYd8CUTJU/A9U0JWT8WA4yOWeALxgrRlAmR944bwTDKeGHvJniU7eR9hP0mKdXxPUtZOP0ERe6nqHIWG/f2NAX2Sx6dgWvo9NBnXZ/3lQagaUHk4mztVfk4jN5EzBqkgr3/2oXkX/O/M3hU2OqNoQSlHNbuTEkowkRWkU7UGKbkEuS+ldmbYWvTCeaQsJnjN+KvDyqTFex6UXkr69l7kMDuNlYxrsEfXc+5Yy6SZeglWIgiK+cgra9E7Tf6EJmZQwHkMa00xT+4oAk7/AgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIGQDANBgkqhkiG9w0BAQ0FAAOCAQEAMUN65mWqf8/PyIcqYq6OME0DNAeRn30I7/icLhuumGEHcdYSszeE89AtRi+KEFu1lKj4rAn6Ha+60JP/3bIMtq807r1V6RTw62ZHIQTbB2hXqQTItbWIcnNqUu0RVeqtE0KLkz1K/sy++UpYabkl+sWQm4Q7rtIrGcGoMI997k2hZ1vycfHP/BJ6zv1hBi44al8vwQ+b63xMcJXGLUZUr0cMPBIwwndEUN1noeetb+JEMoBRYgsDcOpXzAdZObLUoT+SEwUs9h9ZH01W0Vvz9X1QaGEwe1+Lm7HJxGOODjC+oPSSbQ2yx+V3OMq31Zji9GeTIw6l5iT+wvykjTiyXA==</verificationCert>
+        <internalVerificationCert>MIIC2DCCAcCgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAdMRswGQYDVQQDDBJpbnRlcm5hbFNpZ25pbmdLZXkwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJpbnRlcm5hbFNpZ25pbmdLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXb1MgyeQ+iL66986EI4fxEkupC74VPz3i4P4KFkxYIn4mSWmnH6cFzR+lAY4FLQjfSPAI/XmLWbzZNhrDZKV0CX4JRq1tqEdkx6DNVmiFI9jRwba65JSfVMRPihJVcgryJbH07BiP3vFo8MvQTgAya8iYLFIcvtj7hXoatJa8dVwJRVlhnupuxcEppjDNCHYTinMGuuk91C+kyA4dlwZhucXAS+MGU+MzfOYv0KyFhJiPN0IZoAe+0wDA+J40si6YEuAQMEKHItR+Uhpd3zaIKxGzaYUcTZx2GqXpngJ87sd80rv75vgJMaqAsxOIQYIf+ZQWtn3M+kHXyx41ogS5AgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICRDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQDDV5C11DQaV0uoSphIr+yBjUjaqxf/0vyCEeRSVFyuQubp38ph60WKlFdc3AE/PHEBd3W1gM7+nSVZ8HwBYGBOrvO6sESjzhEirJbneIddAin3qvJrRhNlU3AAoiJW82Kpn8+qQPqr2kSBdUMlGiI4JAujFaw+iZtcB6AXfqlJeuB9I6mZenivulL4SB41WasWcO1NPDcA47eoCpFwInZUxir0zJG1Uc0/NWiOjQ1U4svfDJ9i/T6CtPlre2RT1j+BklBJxdgpVm2wv6xpxVPxPMsMbeHAD9WRhfqbZ9m4J28nQrIV6wVWk879jLoCcth2dX61AAd6g3ADSbYZYuFY</internalVerificationCert>
+        <internalVerificationCert>MIICqTCCAZGgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAOMQwwCgYDVQQDDANOL0EwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAOMQwwCgYDVQQDDANOL0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnw42v+CwPNmI7j24C0UHsNfhxDKa4rkpgqk4iKnQ5CyzSxveodbduAz+h2lHOHTpInOgtiYd8CUTJU/A9U0JWT8WA4yOWeALxgrRlAmR944bwTDKeGHvJniU7eR9hP0mKdXxPUtZOP0ERe6nqHIWG/f2NAX2Sx6dgWvo9NBnXZ/3lQagaUHk4mztVfk4jN5EzBqkgr3/2oXkX/O/M3hU2OqNoQSlHNbuTEkowkRWkU7UGKbkEuS+ldmbYWvTCeaQsJnjN+KvDyqTFex6UXkr69l7kMDuNlYxrsEfXc+5Yy6SZeglWIgiK+cgra9E7Tf6EJmZQwHkMa00xT+4oAk7/AgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIGQDANBgkqhkiG9w0BAQ0FAAOCAQEAMUN65mWqf8/PyIcqYq6OME0DNAeRn30I7/icLhuumGEHcdYSszeE89AtRi+KEFu1lKj4rAn6Ha+60JP/3bIMtq807r1V6RTw62ZHIQTbB2hXqQTItbWIcnNqUu0RVeqtE0KLkz1K/sy++UpYabkl+sWQm4Q7rtIrGcGoMI997k2hZ1vycfHP/BJ6zv1hBi44al8vwQ+b63xMcJXGLUZUr0cMPBIwwndEUN1noeetb+JEMoBRYgsDcOpXzAdZObLUoT+SEwUs9h9ZH01W0Vvz9X1QaGEwe1+Lm7HJxGOODjC+oPSSbQ2yx+V3OMq31Zji9GeTIw6l5iT+wvykjTiyXA==</internalVerificationCert>
+        <externalVerificationCert>MIICqTCCAZGgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAOMQwwCgYDVQQDDANOL0EwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAOMQwwCgYDVQQDDANOL0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCBUNj9zuGBZYgiQ1q4jxePy7Cpe8bbr37+ySnjkQKl8D0G/6vIrPZPqz2RRk1QaKmV1wkFlcCksyu+0QVPnpmjRY6AlkWRRCciT21jCHpCef9kwjT++NwUAV8gJ+soIqasWUCZpJPEDkCVrB+/jO22Wltdzpqmj3yX2N1zRIG6ddqoOIez5W0c2sty7w1sHnC+adFoBIWsZctNHfLlInKEkStTa78XTrK8EnjR8qzpZVYjh0WxOZvN7oqNZDdUgeG3gB29TLpj2o4H/rTbUlgJT0gBS/AHIxMzRPUbMVaeDNGap6Ofje/8Jc1tbOdL5wjYc9pYbU5pwz/oSGMI6taBAgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIGQDANBgkqhkiG9w0BAQ0FAAOCAQEAUVM+woAREwkKFY1uEZVOSHNy1SlzrEJD3gPm/ui+Y93LvGrCSrwVJVUqd3dkb9IsHD6Jev/SXjEF/phGVVy0WHS8EXJpkLGdV/lRl/TnhZvQ6k7q5amUd43bxIHb3Jpn4z3fpWgX07/op3SOWSBSKVOD4mrhIQQkwJQKTSkjFDXrJEijYcyT+rgUUeOWiNSnbi7nGnBgJlIA5ff1ojmb9kBiFUNS3tHYG0heEkX46rs6Al9gqjZtaiDK6XkZwlkqx769LzxRlnlrULzQpW1SwEyEQdVzZP/kqSsqfyMNmeokO1hk+FtFvoRi3XG1uEYJO+M8oPvo99+Gyu45IQrmig==</externalVerificationCert>
+        <externalVerificationCert>MIIC2DCCAcCgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAdMRswGQYDVQQDDBJleHRlcm5hbFNpZ25pbmdLZXkwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJleHRlcm5hbFNpZ25pbmdLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC01zzex0f7YBI/JUIkTaSaB5bHRS/9X2MNlUAmekEJuiApAoXhrZOhvXegFrW3/S+Ui5PTSZrPMosV7GK8xmwJHQnZ+SdoDD1cScHjPj0/HNhM3rO/ZWGEfmCpGu7k2xIS8/Iwf7Kq6Z2SQ4osyBG/gGyBGcj7T7QeBL359UFyc4OwkcOVWJRszNG0iKBu+dP4Zj3okS5OF1ucn7QdePsqJQAA/gHM/hKMGJMVgnor1Cv/KfjKdh99MltDIv7wgqjM3JysOjgqkpgFCvAazbOSTrOtJC9uB6U/uxKH57te6A4Y02Ru2SFBkRkn/mU1iwtt+qaPiBuy/RdOkk9YrNqVAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICRDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQCuDXrCsa+qH+xL+/gcWOqwl1kSUpVo3afDVr5z3ZNS04QFRfhYB6UWJv/ClNhmok83MqsbpGl7gQvQIkKSfFYTAZ7ltVPpesVQmbeby8hrF2BivASRbgS+8zGWOLLg1mhCSR6iSoDBaZtmIps4HzJYciyRO3wrDHrFlcnjwly73mzTyWNI+nn52GG8xhLlaxMq6X+3NvW5e1gyycYB/8KQ4cVeGlH03e+P5ubSwi34OYwbbIfRrDPw0M0axt5roWIC+v1/WkwIEu0XAS53yAWWEq7K4dwGEc30NLwNh5nZyL2/Z2giYHxwkpWGmFBY/hGzvVXkOPOilyTgUVXNlvJk</externalVerificationCert>
     </source>
     <approvedCA>
         <name>X-Road Test CA CN</name>

diff --git a/...enerator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParameters.java b/...enerator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParameters.java
@@ -47,7 +47,8 @@ class SharedParameters {
     @Data
     public static class ConfigurationSource {
         private String address;
-        private List<byte[]> verificationCerts;
+        private List<byte[]> internalVerificationCerts;
+        private List<byte[]> externalVerificationCerts;
     }
 
     @Data

diff --git a/...or/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersLoader.java b/...or/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersLoader.java
@@ -34,6 +34,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.cs.admin.api.domain.AuthCert;
 import org.niis.xroad.cs.admin.api.domain.ConfigurationSigningKey;
+import org.niis.xroad.cs.admin.api.domain.ConfigurationSourceType;
 import org.niis.xroad.cs.admin.api.domain.FlattenedSecurityServerClientView;
 import org.niis.xroad.cs.admin.api.domain.GlobalGroup;
 import org.niis.xroad.cs.admin.api.domain.GlobalGroupMember;
@@ -98,14 +99,24 @@ private SharedParameters.ConfigurationSource toSource(
     ) {
         var source = new SharedParameters.ConfigurationSource();
         source.setAddress(addressWithConfigurationSigningKeys.getKey());
-        source.setVerificationCerts(
-                addressWithConfigurationSigningKeys.getValue().stream()
-                        .map(ConfigurationSigningKey::getCert)
-                        .collect(toList())
+        source.setInternalVerificationCerts(
+                getSigningKeysByType(addressWithConfigurationSigningKeys.getValue(), ConfigurationSourceType.INTERNAL)
+        );
+        source.setExternalVerificationCerts(
+                getSigningKeysByType(addressWithConfigurationSigningKeys.getValue(), ConfigurationSourceType.EXTERNAL)
         );
         return source;
     }
 
+    private List<byte[]> getSigningKeysByType(
+            List<ConfigurationSigningKey> signingKeys, ConfigurationSourceType configurationSourceType
+    ) {
+        return signingKeys.stream()
+                .filter(key -> configurationSourceType.equals(key.getSourceType()))
+                .map(ConfigurationSigningKey::getCert)
+                .toList();
+    }
+
     private List<SharedParameters.ApprovedCA> getApprovedCAs() {
         var approvedCas = certificationServicesService.findAll();
         return approvedCas.stream()

diff --git a/...c/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV3Converter.java b/...c/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV3Converter.java
@@ -75,7 +75,8 @@ abstract SharedParametersTypeV3 convert(SharedParameters sharedParameters,
     @Mapping(source = "memberClasses", target = "memberClass")
     abstract GlobalSettingsType convert(SharedParameters.GlobalSettings globalSettings);
 
-    @Mapping(source = "verificationCerts", target = "verificationCert")
+    @Mapping(source = "internalVerificationCerts", target = "internalVerificationCert")
+    @Mapping(source = "externalVerificationCerts", target = "externalVerificationCert")
     abstract ConfigurationSourceType convert(SharedParameters.ConfigurationSource configurationSource);
 
     @Mapping(source = "intermediateCAs", target = "intermediateCA")

diff --git a/...rc/test/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersLoaderTest.java b/...rc/test/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersLoaderTest.java
@@ -66,6 +66,8 @@
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.when;
+import static org.niis.xroad.cs.admin.api.domain.ConfigurationSourceType.EXTERNAL;
+import static org.niis.xroad.cs.admin.api.domain.ConfigurationSourceType.INTERNAL;
 
 @ExtendWith(MockitoExtension.class)
 class SharedParametersLoaderTest {
@@ -212,13 +214,18 @@ private void assertApprovedCa(SharedParameters parameters) {
     private void assertNodeAddressesWithConfigurationSigningKeys(SharedParameters parameters) {
         assertThat(parameters.getSources()).singleElement().satisfies(src -> {
             assertThat(src.getAddress()).isEqualTo(CENTRAL_SERVICE);
-            assertThat(src.getVerificationCerts()).hasSize(1);
-            assertThat(src.getVerificationCerts().get(0)).isEqualTo(CONFIGURATION_SIGNING_CERT);
+            assertThat(src.getInternalVerificationCerts()).hasSize(1);
+            assertThat(src.getInternalVerificationCerts().get(0)).isEqualTo(CONFIGURATION_SIGNING_CERT);
+            assertThat(src.getExternalVerificationCerts()).hasSize(1);
+            assertThat(src.getExternalVerificationCerts().get(0)).isEqualTo(CONFIGURATION_SIGNING_CERT);
         });
     }
 
     private Map<String, List<ConfigurationSigningKey>> getNodeAddressesWithConfigurationSigningKeys() {
-        return Map.of(CENTRAL_SERVICE, List.of(new ConfigurationSigningKey().setCert(CONFIGURATION_SIGNING_CERT)));
+        return Map.of(CENTRAL_SERVICE, List.of(
+                new ConfigurationSigningKey().setSourceType(INTERNAL).setCert(CONFIGURATION_SIGNING_CERT),
+                new ConfigurationSigningKey().setSourceType(EXTERNAL).setCert(CONFIGURATION_SIGNING_CERT)
+        ));
     }
 
     private CertificationService getCertificationService() {

diff --git a/...st/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV3ConverterTest.java b/...st/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV3ConverterTest.java
@@ -56,7 +56,8 @@ class SharedParametersV3ConverterTest {
     private static final Map<String, String> FIELD_NAME_MAP = Map.ofEntries(
             entry("securityServer", "securityServers"),
             entry("source", "sources"),
-            entry("verificationCert", "verificationCerts"),
+            entry("internalVerificationCert", "internalVerificationCerts"),
+            entry("externalVerificationCert", "externalVerificationCerts"),
             entry("approvedCA", "approvedCAs"),
             entry("approvedTSA", "approvedTSAs"),
             entry("member", "members"),
@@ -81,7 +82,8 @@ void shouldConvertAllFields() {
                         "members.id",
                         "members.subsystems.id",
                         "centralService",
-                        "sources.verificationCerts"
+                        "sources.internalVerificationCerts",
+                        "sources.externalVerificationCerts"
                 )
                 .withEqualsForFields((a, b) ->
                                 new BigInteger(a.toString()).compareTo(new BigInteger(b.toString())) == 0,
@@ -163,7 +165,8 @@ private static SharedParameters getSharedParameters() {
     private static List<SharedParameters.ConfigurationSource> getConfigurationSources() {
         var configurationSource = new SharedParameters.ConfigurationSource();
         configurationSource.setAddress("cs");
-        configurationSource.setVerificationCerts(List.of("conf-singing-cert".getBytes(UTF_8)));
+        configurationSource.setInternalVerificationCerts(List.of("internal-conf-singing-cert".getBytes(UTF_8)));
+        configurationSource.setExternalVerificationCerts(List.of("external-conf-singing-cert".getBytes(UTF_8)));
         return List.of(configurationSource);
     }
 

diff --git a/...t/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV3MarshallerTest.java b/...t/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV3MarshallerTest.java
@@ -46,7 +46,8 @@ void marshall() {
 
         var configurationSource = new SharedParameters.ConfigurationSource();
         configurationSource.setAddress("cs");
-        configurationSource.setVerificationCerts(List.of("conf-signing-cert".getBytes(StandardCharsets.UTF_8)));
+        configurationSource.setInternalVerificationCerts(List.of("internal-conf-signing-cert".getBytes(StandardCharsets.UTF_8)));
+        configurationSource.setExternalVerificationCerts(List.of("external-conf-signing-cert".getBytes(StandardCharsets.UTF_8)));
         sharedParams.setGlobalSettings(new SharedParameters.GlobalSettings(null, 60));
         sharedParams.setSources(List.of(configurationSource));
 

diff --git a/...main/resources/signer-container-files/etc/xroad/globalconf/CS/private-params.xml.metadata b/...main/resources/signer-container-files/etc/xroad/globalconf/CS/private-params.xml.metadata
@@ -1 +1 @@
-{"contentIdentifier":"PRIVATE-PARAMETERS","instanceIdentifier":"cs","expirationDate":"2124-05-20T17:42:55Z"}
+{"contentIdentifier":"PRIVATE-PARAMETERS","instanceIdentifier":"cs","expirationDate":"2124-05-20T17:42:55Z","configurationVersion": "3"}
diff --git a/...-test/src/main/resources/signer-container-files/etc/xroad/globalconf/CS/shared-params.xml b/...-test/src/main/resources/signer-container-files/etc/xroad/globalconf/CS/shared-params.xml
@@ -1,6 +1,13 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <ns3:conf xmlns:ns2="http://x-road.eu/xsd/identifiers" xmlns:ns3="http://x-road.eu/xsd/xroad.xsd">
     <instanceIdentifier>CS</instanceIdentifier>
+    <source>
+        <address>cs:1080</address>
+        <internalVerificationCert>MIIC2DCCAcCgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAdMRswGQYDVQQDDBJpbnRlcm5hbFNpZ25pbmdLZXkwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJpbnRlcm5hbFNpZ25pbmdLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXb1MgyeQ+iL66986EI4fxEkupC74VPz3i4P4KFkxYIn4mSWmnH6cFzR+lAY4FLQjfSPAI/XmLWbzZNhrDZKV0CX4JRq1tqEdkx6DNVmiFI9jRwba65JSfVMRPihJVcgryJbH07BiP3vFo8MvQTgAya8iYLFIcvtj7hXoatJa8dVwJRVlhnupuxcEppjDNCHYTinMGuuk91C+kyA4dlwZhucXAS+MGU+MzfOYv0KyFhJiPN0IZoAe+0wDA+J40si6YEuAQMEKHItR+Uhpd3zaIKxGzaYUcTZx2GqXpngJ87sd80rv75vgJMaqAsxOIQYIf+ZQWtn3M+kHXyx41ogS5AgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICRDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQDDV5C11DQaV0uoSphIr+yBjUjaqxf/0vyCEeRSVFyuQubp38ph60WKlFdc3AE/PHEBd3W1gM7+nSVZ8HwBYGBOrvO6sESjzhEirJbneIddAin3qvJrRhNlU3AAoiJW82Kpn8+qQPqr2kSBdUMlGiI4JAujFaw+iZtcB6AXfqlJeuB9I6mZenivulL4SB41WasWcO1NPDcA47eoCpFwInZUxir0zJG1Uc0/NWiOjQ1U4svfDJ9i/T6CtPlre2RT1j+BklBJxdgpVm2wv6xpxVPxPMsMbeHAD9WRhfqbZ9m4J28nQrIV6wVWk879jLoCcth2dX61AAd6g3ADSbYZYuFY</internalVerificationCert>
+        <internalVerificationCert>MIICqTCCAZGgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAOMQwwCgYDVQQDDANOL0EwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAOMQwwCgYDVQQDDANOL0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnw42v+CwPNmI7j24C0UHsNfhxDKa4rkpgqk4iKnQ5CyzSxveodbduAz+h2lHOHTpInOgtiYd8CUTJU/A9U0JWT8WA4yOWeALxgrRlAmR944bwTDKeGHvJniU7eR9hP0mKdXxPUtZOP0ERe6nqHIWG/f2NAX2Sx6dgWvo9NBnXZ/3lQagaUHk4mztVfk4jN5EzBqkgr3/2oXkX/O/M3hU2OqNoQSlHNbuTEkowkRWkU7UGKbkEuS+ldmbYWvTCeaQsJnjN+KvDyqTFex6UXkr69l7kMDuNlYxrsEfXc+5Yy6SZeglWIgiK+cgra9E7Tf6EJmZQwHkMa00xT+4oAk7/AgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIGQDANBgkqhkiG9w0BAQ0FAAOCAQEAMUN65mWqf8/PyIcqYq6OME0DNAeRn30I7/icLhuumGEHcdYSszeE89AtRi+KEFu1lKj4rAn6Ha+60JP/3bIMtq807r1V6RTw62ZHIQTbB2hXqQTItbWIcnNqUu0RVeqtE0KLkz1K/sy++UpYabkl+sWQm4Q7rtIrGcGoMI997k2hZ1vycfHP/BJ6zv1hBi44al8vwQ+b63xMcJXGLUZUr0cMPBIwwndEUN1noeetb+JEMoBRYgsDcOpXzAdZObLUoT+SEwUs9h9ZH01W0Vvz9X1QaGEwe1+Lm7HJxGOODjC+oPSSbQ2yx+V3OMq31Zji9GeTIw6l5iT+wvykjTiyXA==</internalVerificationCert>
+        <externalVerificationCert>MIICqTCCAZGgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAOMQwwCgYDVQQDDANOL0EwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAOMQwwCgYDVQQDDANOL0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCBUNj9zuGBZYgiQ1q4jxePy7Cpe8bbr37+ySnjkQKl8D0G/6vIrPZPqz2RRk1QaKmV1wkFlcCksyu+0QVPnpmjRY6AlkWRRCciT21jCHpCef9kwjT++NwUAV8gJ+soIqasWUCZpJPEDkCVrB+/jO22Wltdzpqmj3yX2N1zRIG6ddqoOIez5W0c2sty7w1sHnC+adFoBIWsZctNHfLlInKEkStTa78XTrK8EnjR8qzpZVYjh0WxOZvN7oqNZDdUgeG3gB29TLpj2o4H/rTbUlgJT0gBS/AHIxMzRPUbMVaeDNGap6Ofje/8Jc1tbOdL5wjYc9pYbU5pwz/oSGMI6taBAgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIGQDANBgkqhkiG9w0BAQ0FAAOCAQEAUVM+woAREwkKFY1uEZVOSHNy1SlzrEJD3gPm/ui+Y93LvGrCSrwVJVUqd3dkb9IsHD6Jev/SXjEF/phGVVy0WHS8EXJpkLGdV/lRl/TnhZvQ6k7q5amUd43bxIHb3Jpn4z3fpWgX07/op3SOWSBSKVOD4mrhIQQkwJQKTSkjFDXrJEijYcyT+rgUUeOWiNSnbi7nGnBgJlIA5ff1ojmb9kBiFUNS3tHYG0heEkX46rs6Al9gqjZtaiDK6XkZwlkqx769LzxRlnlrULzQpW1SwEyEQdVzZP/kqSsqfyMNmeokO1hk+FtFvoRi3XG1uEYJO+M8oPvo99+Gyu45IQrmig==</externalVerificationCert>
+        <externalVerificationCert>MIIC2DCCAcCgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAdMRswGQYDVQQDDBJleHRlcm5hbFNpZ25pbmdLZXkwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJleHRlcm5hbFNpZ25pbmdLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC01zzex0f7YBI/JUIkTaSaB5bHRS/9X2MNlUAmekEJuiApAoXhrZOhvXegFrW3/S+Ui5PTSZrPMosV7GK8xmwJHQnZ+SdoDD1cScHjPj0/HNhM3rO/ZWGEfmCpGu7k2xIS8/Iwf7Kq6Z2SQ4osyBG/gGyBGcj7T7QeBL359UFyc4OwkcOVWJRszNG0iKBu+dP4Zj3okS5OF1ucn7QdePsqJQAA/gHM/hKMGJMVgnor1Cv/KfjKdh99MltDIv7wgqjM3JysOjgqkpgFCvAazbOSTrOtJC9uB6U/uxKH57te6A4Y02Ru2SFBkRkn/mU1iwtt+qaPiBuy/RdOkk9YrNqVAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICRDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQCuDXrCsa+qH+xL+/gcWOqwl1kSUpVo3afDVr5z3ZNS04QFRfhYB6UWJv/ClNhmok83MqsbpGl7gQvQIkKSfFYTAZ7ltVPpesVQmbeby8hrF2BivASRbgS+8zGWOLLg1mhCSR6iSoDBaZtmIps4HzJYciyRO3wrDHrFlcnjwly73mzTyWNI+nn52GG8xhLlaxMq6X+3NvW5e1gyycYB/8KQ4cVeGlH03e+P5ubSwi34OYwbbIfRrDPw0M0axt5roWIC+v1/WkwIEu0XAS53yAWWEq7K4dwGEc30NLwNh5nZyL2/Z2giYHxwkpWGmFBY/hGzvVXkOPOilyTgUVXNlvJk</externalVerificationCert>
+    </source>
     <approvedCA>
         <name>X-Road Test CA CN</name>
         <topCA>

diff --git a/.../main/resources/signer-container-files/etc/xroad/globalconf/CS/shared-params.xml.metadata b/.../main/resources/signer-container-files/etc/xroad/globalconf/CS/shared-params.xml.metadata
@@ -1 +1 @@
-{"contentIdentifier":"SHARED-PARAMETERS","instanceIdentifier":"cs","expirationDate":"2124-05-20T17:42:55Z"}
+{"contentIdentifier":"SHARED-PARAMETERS","instanceIdentifier":"cs","expirationDate":"2124-05-20T17:42:55Z","configurationVersion": "3"}
diff --git a/...ommon/common-util/src/main/java/ee/ria/xroad/common/conf/globalconf/SharedParameters.java b/...ommon/common-util/src/main/java/ee/ria/xroad/common/conf/globalconf/SharedParameters.java
@@ -193,7 +193,8 @@ private static <K, V> void addToMap(Map<K, Set<V>> map, K key, V value) {
     @Data
     public static class ConfigurationSource {
         private String address;
-        private List<byte[]> verificationCerts;
+        private List<byte[]> internalVerificationCerts;
+        private List<byte[]> externalVerificationCerts;
     }
 
     @Data

diff --git a/...n-util/src/main/java/ee/ria/xroad/common/conf/globalconf/SharedParametersV3Converter.java b/...n-util/src/main/java/ee/ria/xroad/common/conf/globalconf/SharedParametersV3Converter.java
@@ -135,7 +135,8 @@ private SharedParameters.GlobalSettings getGlobalSettings(GlobalSettingsType glo
     private SharedParameters.ConfigurationSource toConfigurationSource(ConfigurationSourceType source) {
         var target = new SharedParameters.ConfigurationSource();
         target.setAddress(source.getAddress());
-        target.setVerificationCerts(source.getVerificationCert());
+        target.setInternalVerificationCerts(source.getInternalVerificationCert());
+        target.setExternalVerificationCerts(source.getExternalVerificationCert());
         return target;
     }
 

diff --git a/src/common/common-util/src/main/resources/globalconf/v3/shared-parameters.xsd b/src/common/common-util/src/main/resources/globalconf/v3/shared-parameters.xsd
@@ -24,7 +24,14 @@
           </documentation>
         </annotation>
       </element>
-      <element name="verificationCert" type="base64Binary" maxOccurs="unbounded">
+      <element name="internalVerificationCert" type="base64Binary" maxOccurs="unbounded">
+        <annotation>
+          <documentation>
+            Public key that can be used to verify the signed configuration, presented as X.509 certificate.
+          </documentation>
+        </annotation>
+      </element>
+      <element name="externalVerificationCert" type="base64Binary" maxOccurs="unbounded">
         <annotation>
           <documentation>
             Public key that can be used to verify the signed configuration, presented as X.509 certificate.