ca: align certificate names

cli/cmd/common.go

@@ -16,8 +16,8 @@ import (
 
 const (
 	coordHashFilename    = "coordinator-policy.sha256"
-	coordRootPEMFilename = "coordinator-root.pem"
-	meshRootPEMFilename  = "mesh-root.pem"
+	coordRootPEMFilename = "coordinator-root-ca.pem"
+	meshCAPEMFilename    = "mesh-ca.pem"
 	workloadOwnerPEM     = "workload-owner.pem"
 	manifestFilename     = "manifest.json"
 	settingsFilename     = "settings.json"

cli/cmd/set.go

@@ -46,7 +46,7 @@ the connection will only be successful if the Coordinator conforms with the
 reference values embedded into the CLI.
 
 After the connection is established, the manifest is set. The Coordinator
-will re-generate the mesh root certificate and accept new workloads to
+will re-generate the mesh CA certificate and accept new workloads to
 issuer certificates.`,
 		RunE: withTelemetry(runSet),
 	}
@@ -141,8 +141,8 @@ func runSet(cmd *cobra.Command, args []string) error {
 	fmt.Fprintln(cmd.OutOrStdout(), "✔️ Manifest set successfully")
 
 	filelist := map[string][]byte{
-		coordRootPEMFilename: resp.CoordinatorRoot,
-		meshRootPEMFilename:  resp.MeshRoot,
+		coordRootPEMFilename: resp.RootCA,
+		meshCAPEMFilename:    resp.MeshCA,
 	}
 	if err := writeFilelist(flags.workspaceDir, filelist); err != nil {
 		return fmt.Errorf("writing filelist: %w", err)

cli/cmd/verify.go

@@ -90,8 +90,8 @@ func runVerify(cmd *cobra.Command, _ []string) error {
 	fmt.Fprintln(cmd.OutOrStdout(), "✔️ Successfully verified coordinator")
 
 	filelist := map[string][]byte{
-		coordRootPEMFilename: resp.CoordinatorRoot,
-		meshRootPEMFilename:  resp.MeshRoot,
+		coordRootPEMFilename: resp.RootCA,
+		meshCAPEMFilename:    resp.MeshCA,
 	}
 	for i, m := range resp.Manifests {
 		filelist[fmt.Sprintf("manifest.%d.json", i)] = m

coordinator/meshapi.go

@@ -77,12 +77,12 @@ func (i *meshAPIServer) NewMeshCert(_ context.Context, req *meshapi.NewMeshCertR
 			"getting certificate with public key hash %q: %v", req.PeerPublicKeyHash, err)
 	}
 
-	meshCACert := i.caChainGetter.GetMeshRootCert()
-	intermCert := i.caChainGetter.GetIntermCert()
+	meshCACert := i.caChainGetter.GetMeshCACert()
+	intermCert := i.caChainGetter.GetIntermCACert()
 
 	return &meshapi.NewMeshCertResponse{
 		MeshCACert: meshCACert,
 		CertChain:  append(cert, intermCert...),
-		RootCACert: i.caChainGetter.GetCoordinatorRootCert(),
+		RootCACert: i.caChainGetter.GetRootCACert(),
 	}, nil
 }

coordinator/userapi.go

@@ -104,8 +104,8 @@ func (s *userAPIServer) SetManifest(ctx context.Context, req *userapi.SetManifes
 	}
 
 	resp := &userapi.SetManifestResponse{
-		CoordinatorRoot: s.caChainGetter.GetCoordinatorRootCert(),
-		MeshRoot:        s.caChainGetter.GetMeshRootCert(),
+		RootCA: s.caChainGetter.GetRootCACert(),
+		MeshCA: s.caChainGetter.GetMeshCACert(),
 	}
 
 	s.logger.Info("SetManifest succeeded")
@@ -134,10 +134,10 @@ func (s *userAPIServer) GetManifests(_ context.Context, _ *userapi.GetManifestsR
 	}
 
 	resp := &userapi.GetManifestsResponse{
-		Manifests:       manifestBytes,
-		Policies:        policySliceToBytesSlice(policies),
-		CoordinatorRoot: s.caChainGetter.GetCoordinatorRootCert(),
-		MeshRoot:        s.caChainGetter.GetMeshRootCert(),
+		Manifests: manifestBytes,
+		Policies:  policySliceToBytesSlice(policies),
+		RootCA:    s.caChainGetter.GetRootCACert(),
+		MeshCA:    s.caChainGetter.GetMeshCACert(),
 	}
 
 	s.logger.Info("GetManifest succeeded")
@@ -213,9 +213,9 @@ func manifestSliceToBytesSlice(s []*manifest.Manifest) ([][]byte, error) {
 }
 
 type certChainGetter interface {
-	GetCoordinatorRootCert() []byte
-	GetMeshRootCert() []byte
-	GetIntermCert() []byte
+	GetRootCACert() []byte
+	GetMeshCACert() []byte
+	GetIntermCACert() []byte
 }
 
 type manifestSetGetter interface {

coordinator/userapi_test.go

@@ -230,8 +230,8 @@ func TestManifestSet(t *testing.T) {
 				return
 			}
 			require.NoError(err)
-			assert.Equal([]byte("root"), resp.CoordinatorRoot)
-			assert.Equal([]byte("mesh"), resp.MeshRoot)
+			assert.Equal([]byte("root"), resp.RootCA)
+			assert.Equal([]byte("mesh"), resp.MeshCA)
 			assert.Equal(1, tc.mSGetter.setManifestCount)
 		})
 	}
@@ -296,8 +296,8 @@ func TestGetManifests(t *testing.T) {
 				return
 			}
 			require.NoError(err)
-			assert.Equal([]byte("root"), resp.CoordinatorRoot)
-			assert.Equal([]byte("mesh"), resp.MeshRoot)
+			assert.Equal([]byte("root"), resp.RootCA)
+			assert.Equal([]byte("mesh"), resp.MeshCA)
 			assert.Len(resp.Policies, len(tc.policyStoreContent))
 		})
 	}
@@ -397,9 +397,9 @@ func (s *stubManifestSetGetter) LatestManifest() (*manifest.Manifest, error) {
 
 type stubCertChainGetter struct{}
 
-func (s *stubCertChainGetter) GetCoordinatorRootCert() []byte { return []byte("root") }
-func (s *stubCertChainGetter) GetMeshRootCert() []byte        { return []byte("mesh") }
-func (s *stubCertChainGetter) GetIntermCert() []byte          { return []byte("inter") }
+func (s *stubCertChainGetter) GetRootCACert() []byte   { return []byte("root") }
+func (s *stubCertChainGetter) GetMeshCACert() []byte   { return []byte("mesh") }
+func (s *stubCertChainGetter) GetIntermCACert() []byte { return []byte("inter") }
 
 func rpcContext(key *ecdsa.PrivateKey) context.Context {
 	var peerCertificates []*x509.Certificate

deployments/emojivoto-sm-egress/emoji.yml

@@ -50,7 +50,7 @@ spec:
             - name: EDG_CERT_PATH
               value: /tls-config/certChain.pem
             - name: EDG_CA_PATH
-              value: /tls-config/MeshCACert.pem
+              value: /tls-config/mesh-ca.pem
             - name: EDG_KEY_PATH
               value: /tls-config/key.pem
           image: ghcr.io/3u13r/emojivoto-emoji-svc:coco-1

deployments/emojivoto-sm-egress/voting.yml

@@ -50,7 +50,7 @@ spec:
             - name: EDG_CERT_PATH
               value: /tls-config/certChain.pem
             - name: EDG_CA_PATH
-              value: /tls-config/MeshCACert.pem
+              value: /tls-config/mesh-ca.pem
             - name: EDG_KEY_PATH
               value: /tls-config/key.pem
           image: ghcr.io/3u13r/emojivoto-voting-svc:coco-1

deployments/emojivoto-sm-egress/web.yml

@@ -62,7 +62,7 @@ spec:
             - name: EDG_CERT_PATH
               value: /tls-config/certChain.pem
             - name: EDG_CA_PATH
-              value: /tls-config/MeshCACert.pem
+              value: /tls-config/mesh-ca.pem
             - name: EDG_KEY_PATH
               value: /tls-config/key.pem
             - name: EDG_DISABLE_CLIENT_AUTH

deployments/emojivoto-sm-ingress/emoji.yml

@@ -61,7 +61,7 @@ spec:
             - name: EDG_CERT_PATH
               value: /tls-config/certChain.pem
             - name: EDG_CA_PATH
-              value: /tls-config/MeshCACert.pem
+              value: /tls-config/mesh-ca.pem
             - name: EDG_KEY_PATH
               value: /tls-config/key.pem
           image: docker.l5d.io/buoyantio/emojivoto-emoji-svc:v11

deployments/emojivoto-sm-ingress/voting.yml

@@ -61,7 +61,7 @@ spec:
             - name: EDG_CERT_PATH
               value: /tls-config/certChain.pem
             - name: EDG_CA_PATH
-              value: /tls-config/MeshCACert.pem
+              value: /tls-config/mesh-ca.pem
             - name: EDG_KEY_PATH
               value: /tls-config/key.pem
           image: docker.l5d.io/buoyantio/emojivoto-voting-svc:v11

deployments/emojivoto-sm-ingress/web.yml

@@ -65,7 +65,7 @@ spec:
             - name: EDG_CERT_PATH
               value: /tls-config/certChain.pem
             - name: EDG_CA_PATH
-              value: /tls-config/MeshCACert.pem
+              value: /tls-config/mesh-ca.pem
             - name: EDG_KEY_PATH
               value: /tls-config/key.pem
             - name: EDG_DISABLE_CLIENT_AUTH

deployments/emojivoto/emoji.yml

@@ -50,7 +50,7 @@ spec:
             - name: EDG_CERT_PATH
               value: /tls-config/certChain.pem
             - name: EDG_CA_PATH
-              value: /tls-config/MeshCACert.pem
+              value: /tls-config/mesh-ca.pem
             - name: EDG_KEY_PATH
               value: /tls-config/key.pem
           image: ghcr.io/3u13r/emojivoto-emoji-svc:coco-1

deployments/emojivoto/voting.yml

@@ -50,7 +50,7 @@ spec:
             - name: EDG_CERT_PATH
               value: /tls-config/certChain.pem
             - name: EDG_CA_PATH
-              value: /tls-config/MeshCACert.pem
+              value: /tls-config/mesh-ca.pem
             - name: EDG_KEY_PATH
               value: /tls-config/key.pem
           image: ghcr.io/3u13r/emojivoto-voting-svc:coco-1

deployments/emojivoto/web.yml

@@ -49,7 +49,7 @@ spec:
             - name: EDG_CERT_PATH
               value: /tls-config/certChain.pem
             - name: EDG_CA_PATH
-              value: /tls-config/MeshCACert.pem
+              value: /tls-config/mesh-ca.pem
             - name: EDG_KEY_PATH
               value: /tls-config/key.pem
             - name: EDG_DISABLE_CLIENT_AUTH

docs/docs/deployment.md

@@ -131,7 +131,7 @@ in the manifest are also written to the directory.
 
 ## Communicate with workloads
 
-You can securely connect to the workloads using the Coordinator's `mesh-root.pem` as a trusted CA certificate.
+You can securely connect to the workloads using the Coordinator's `mesh-ca.pem` as a trusted CA certificate.
 First, expose the service on a public IP address via a LoadBalancer service:
 
 ```sh
@@ -146,17 +146,17 @@ echo $lbip
 By default, mesh certificates are issued with a wildcard DNS entry. The web frontend is accessed
 via load balancer IP in this demo. Tools like curl check the certificate for IP entries in the SAN field.
 Validation fails since the certificate contains no IP entries as a subject alternative name (SAN).
-For example, a connection attempt using the curl and the mesh root certificate with throw the following error:
+For example, a connection attempt using the curl and the mesh CA certificate with throw the following error:
 
 ```sh
-$ curl --cacert ./verify/mesh-root.pem "https://${frontendIP}:443"
+$ curl --cacert ./verify/mesh-ca.pem "https://${frontendIP}:443"
 curl: (60) SSL: no alternative certificate subject name matches target host name '203.0.113.34'
 ```
 
 :::
 
-Using `openssl`, the certificate of the service can be validated with the `mesh-root.pem`:
+Using `openssl`, the certificate of the service can be validated with the `mesh-ca.pem`:
 
 ```sh
-openssl s_client -CAfile verify/mesh-root.pem -verify_return_error -connect ${frontendIP}:443 < /dev/null
+openssl s_client -CAfile verify/mesh-ca.pem -verify_return_error -connect ${frontendIP}:443 < /dev/null
 ```

docs/docs/examples/emojivoto.md

@@ -6,7 +6,6 @@
 **This tutorial guides you through deploying [emojivoto](https://github.com/BuoyantIO/emojivoto) as a
 confidential Contrast deployment and validating the deployment from a voters perspective.**
 
-
 Emojivoto is an example app allowing users to vote for different emojis and view votes
 on a leader board. It has a microservice architecture consisting of a
 web frontend (`web`), a gRPC backend for listing available emojis (`emoji`), and a backend for
@@ -121,7 +120,7 @@ The CLI will attest the Coordinator using embedded reference values. If the comm
 the Coordinator deployment was successfully verified to be running in the expected Confidential
 Computing environment with the expected code version. The Coordinator will then return its
 configuration over the established TLS channel. The CLI will store this information, namely the root
-certificate of the mesh (`mesh-root.pem`) and the history of manifests, into the `verify/` directory.
+certificate of the mesh (`mesh-ca.pem`) and the history of manifests, into the `verify/` directory.
 In addition, the policies referenced in the manifest history are also written into the same directory.
 
 ### Manifest history and artifact audit
@@ -133,7 +132,7 @@ this task to an entity they trust.
 ### Confidential connection to the attested workload
 
 After ensuring the configuration of the Coordinator fits the expectation, you can securely connect
-to the workloads using the Coordinator's `mesh-root.pem` as a trusted CA certificate.
+to the workloads using the Coordinator's `mesh-ca.pem` as a trusted CA certificate.
 
 To access the web frontend, expose the service on a public IP address via a LoadBalancer service:
 
@@ -142,21 +141,21 @@ frontendIP=$(kubectl get svc web-svc -o=jsonpath='{.status.loadBalancer.ingress[
 echo "Frontend is available at  https://$frontendIP, you can visit it in your browser."
 ```
 
-Using `openssl`, the certificate of the service can be validated with the `mesh-root.pem`:
+Using `openssl`, the certificate of the service can be validated with the `mesh-ca.pem`:
 
 ```sh
-openssl s_client -CAfile verify/mesh-root.pem -verify_return_error -connect ${frontendIP}:443 < /dev/null
+openssl s_client -CAfile verify/mesh-ca.pem -verify_return_error -connect ${frontendIP}:443 < /dev/null
 ```
 
 ## Certificate SAN and manifest update (optional)
 
 By default, mesh certificates are issued with a wildcard DNS entry. The web frontend is accessed
 via load balancer IP in this demo. Tools like curl check the certificate for IP entries in the SAN field.
 Validation fails since the certificate contains no IP entries as a subject alternative name (SAN).
-For example, a connection attempt using the curl and the mesh root certificate with throw the following error:
+For example, a connection attempt using the curl and the mesh CA certificate with throw the following error:
 
 ```sh
-$ curl --cacert ./verify/mesh-root.pem "https://${frontendIP}:443"
+$ curl --cacert ./verify/mesh-ca.pem "https://${frontendIP}:443"
 curl: (60) SSL: no alternative certificate subject name matches target host name '203.0.113.34'
 ```
 
@@ -185,11 +184,11 @@ Next, set the changed manifest at the coordinator with:
 contrast set -c "${coordinator}:1313" deployment/
 ```
 
-The Contrast Coordinator will rotate the mesh root certificate on the manifest update. Workload certificates issued
+The Contrast Coordinator will rotate the mesh ca certificate on the manifest update. Workload certificates issued
 after the manifest are thus issued by another certificate authority and services receiving the new CA certificate chain
 won't trust parts of the deployment that got their certificate issued before the update. This way, Contrast ensures
 that parts of the deployment that received a security update won't be infected by parts of the deployment at an older
-patch level that may have been compromised. The `mesh-root.pem` is updated with the new CA certificate chain.
+patch level that may have been compromised. The `mesh-ca.pem` is updated with the new CA certificate chain.
 
 ### Rolling out the update
 
@@ -210,5 +209,5 @@ After the update has been rolled out, connecting to the frontend using curl will
 the service certificate and return the HTML document of the voting site:
 
 ```sh
-curl --cacert ./mesh-root.pem "https://${frontendIP}:443"
+curl --cacert ./mesh-ca.pem "https://${frontendIP}:443"
 ```

docs/screencast/recordings/flow.cast

@@ -524,7 +524,7 @@
 [67.872085, "o", "i"]
 [67.96622, "o", "f"]
 [68.041638, "o", "y\r\n\u001b[?2004l\r"]
-[68.043569, "o", "coordinator-root.pem  policy.2566f5b2172910e57b5162190f0556041b86614c8e8d8981f80bf47b621140c0.rego\r\nmanifest.0.json       policy.37427d9bc17b6766909fdd1225298226a344e14ce298c232a6bc2a80baa244b8.rego\r\nmesh-root.pem         policy.561b5164452bee3956e1b3ec0420b2f32c87c53423bb1ec10821bc8be37199e7.rego\r\n"]
+[68.043569, "o", "coordinator-root-ca.pem  policy.2566f5b2172910e57b5162190f0556041b86614c8e8d8981f80bf47b621140c0.rego\r\nmanifest.0.json       policy.37427d9bc17b6766909fdd1225298226a344e14ce298c232a6bc2a80baa244b8.rego\r\nmesh-ca.pem         policy.561b5164452bee3956e1b3ec0420b2f32c87c53423bb1ec10821bc8be37199e7.rego\r\n"]
 [68.04372, "o", "\u001b[?2004h\u001b[38;2;139;4;221m$\u001b[0m "]
 [69.044865, "o", "#"]
 [69.09501, "o", " "]

docs/screencast/scripts/flow.expect

@@ -57,7 +57,7 @@ run_command "contrast verify -c \$coordinator:1313"
 expect_prompt
 run_command "ls ./verify"
 expect_prompt
-run_command "# mesh-root.pem can be used to securely connect to the service"
+run_command "# mesh-ca.pem can be used to securely connect to the service"
 expect_prompt
 
 # Stop recording

e2e/internal/contrasttest/contrasttest.go

@@ -180,9 +180,9 @@ func (ct *ContrastTest) Verify(t *testing.T) {
 
 	require.NoError(verify.Execute(), "could not verify coordinator: %s", errBuf)
 
-	ct.meshCACertPEM, err = os.ReadFile(path.Join(ct.WorkDir, "mesh-root.pem"))
+	ct.meshCACertPEM, err = os.ReadFile(path.Join(ct.WorkDir, "mesh-ca.pem"))
 	require.NoError(err)
-	ct.rootCACertPEM, err = os.ReadFile(path.Join(ct.WorkDir, "coordinator-root.pem"))
+	ct.rootCACertPEM, err = os.ReadFile(path.Join(ct.WorkDir, "coordinator-root-ca.pem"))
 	require.NoError(err)
 }