aiwg
Version:
Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo
92 lines (86 loc) • 3.77 kB
YAML
apiVersion: ops.aiwg.io/v1
kind: OpsTarget
metadata:
name: "{org}-pki-hierarchy"
labels:
domain: security-operations
type: pki-hierarchy
spec:
description: "PKI hierarchy definition for {organization}"
last_reviewed: "{YYYY-MM-DD}"
reviewed_by: "{operator}"
root_ca:
name: "{Org} Root CA"
subject_dn: "CN={Org} Root CA, O={Organization}, C={CC}"
key_location:
type: "{hsm|airgap-file}"
hsm_slot: "{slot-id}" # if HSM
file_path: "{/secure/path/root-ca.key}" # if file
access_procedure_ref: "{path/to/ceremony-runbook.md}"
algorithm: "EC P-384"
validity_years: 20
not_before: "{YYYY-MM-DD}"
not_after: "{YYYY-MM-DD}"
fingerprint_sha256: "{sha256-fingerprint}"
crl_distribution_point: "{http://pki.example.com/root.crl}"
ocsp_responder: "{http://ocsp.example.com/root}"
cross_signed_by: [] # list any external cross-signatures
renewal_procedure_ref: "{path/to/root-ca-renewal.md}"
issued_cert_count: 0 # root typically issues only intermediate CAs
notes: "Offline root CA. Only used for intermediate CA issuance and CRL signing. Kept in HSM in locked cabinet."
intermediate_cas:
- name: "{Org} Intermediate CA 1"
subject_dn: "CN={Org} Intermediate CA 1, O={Organization}, C={CC}"
signed_by: "{Org} Root CA"
key_location:
type: "{hsm|file}"
hsm_slot: "{slot-id}"
file_path: "{/secure/path/intermediate-ca.key}"
algorithm: "EC P-384"
validity_years: 10
not_before: "{YYYY-MM-DD}"
not_after: "{YYYY-MM-DD}"
fingerprint_sha256: "{sha256-fingerprint}"
crl_distribution_point: "{http://pki.example.com/intermediate1.crl}"
ocsp_responder: "{http://ocsp.example.com/intermediate1}"
issued_cert_count: 0
path_length_constraint: 0 # can this CA sign other CAs? 0 = no
renewal_procedure_ref: "{path/to/intermediate-ca-renewal.md}"
notes: "{Purpose of this intermediate CA}"
issuing_cas:
- name: "{Org} Issuing CA — {Purpose}"
subject_dn: "CN={Org} Issuing CA {Purpose}, O={Organization}, C={CC}"
signed_by: "{Org} Intermediate CA 1"
key_location:
type: "{hsm|file}"
hsm_slot: "{slot-id}"
file_path: "{/secure/path/issuing-ca.key}"
algorithm: "EC P-384"
validity_years: 5
not_before: "{YYYY-MM-DD}"
not_after: "{YYYY-MM-DD}"
fingerprint_sha256: "{sha256-fingerprint}"
crl_distribution_point: "{http://pki.example.com/issuing-purpose.crl}"
ocsp_responder: "{http://ocsp.example.com/issuing-purpose}"
issued_cert_count: 0
cert_policies:
- purpose: "{tls-server|tls-client|code-signing|email|ssh-host|ssh-user}"
key_usage: "{digitalSignature, keyEncipherment}"
extended_key_usage: "{serverAuth, clientAuth}"
max_validity_days: 398 # 398 days = browser-accepted max for TLS
san_required: true
renewal_procedure_ref: "{path/to/issuing-ca-renewal.md}"
auto_renewal: false
notes: "{Purpose of this issuing CA and the types of certificates it issues}"
trust_distribution:
fleet_trust_store: "{/etc/ssl/certs/org-ca-bundle.pem}"
distribution_method: "{ansible|puppet|manual}"
hosts_with_trust_installed: [] # list hostnames or use "all-fleet"
browsers_trust_store: "{deployed via MDM|not deployed}"
last_distributed: "{YYYY-MM-DD}"
crl_schedule:
root_ca_crl_validity_days: 365
intermediate_ca_crl_validity_days: 30
issuing_ca_crl_validity_days: 7
crl_publish_automation: "{manual|cron|systemd-timer}"
crl_publish_procedure_ref: "{path/to/ca-operations-runbook.md}"