Issues while using disk as upstream plugin

[vinod-ps]

Hi All,
I would like to understand the usage of Disk as for upstream to PKI.
I have an offline RootCA and generated an intermediate Certificate for spire server.
Then I updated the SPIRE helm to use the disk and provided the intermediate CA signed from my root and intermediate private key.
when I verified the SVID of a workload, it looks like somehow the spire is not taking the certificate correctly because I can see the Intermediate certificate's serial number and thumbprint is different from what I have provided in the input yaml, but the name and subject matches.

Copy of my testing yaml is : https://github.com/vinod-ps/SPIRE_SPIFFE/blob/main/helm-charts-hardened-1/charts/spire/charts/spire-server/values.yaml

Am I missing something?
Thanks in advance

[sorindumitru]

The UpstreamAuthority plugin serves as the certificate authority for spire-server, but not for workloads. Generally the flow goes like:

• spire-server creates a new key using the configured KeyManager plugin
• spire-server signs it's own intermediate CA backed by the key above using the UpstreamAuthority plugin
• spire-server signs workload SVIDs using the intermediate CA it signed.

So in your case the certificate chain will look like this:
SVID -> SPIRE Intermediate CA -> Your Intermediate CA -> Root CA

The reason SPIRE does this is because it wants to have some control over how often the SPIRE intermediate CA is rotated. Ideally this should be rotated more often and is controlled by the ca_ttl configuration (defaulting to 24h).