Add historic ceremonies and restructure project

.gitignore

@@ -1,2 +1,5 @@
 softhsm2.conf
 softhsm/
+*.cert.pem
+*.cert.txt
+*.key.pem

README.md

@@ -1,17 +1,29 @@
-# Let's Encrypt 2020 Hierarchy
+# Let's Encrypt 2022 Ceremony
 
-Let's Encrypt generated ECDSA P-384 root and new intermediates in
-2020. We will used [Boulder's `ceremony` tooling to generate these][ceremony].
+Let's Encrypt plans to generate new intermediates (both RSA 2048 and ECDSA P-384) in 2022, to complement the cohort of existing intermediates (R3, R4, E1, and E2) already present in our hierarchy.
 
 This directory contains example config files that simulated the certificate
-profiles in detail. We used it to gather feedback prior to our key ceremony.
+profiles in detail. We are using it to gather feedback prior to our key ceremony.
+
 To try it out:
 
- - install the `ceremony` tool in your $PATH
- - install SoftHSMv2
- - Update the YAML files, if necessary, to reflect that path to your SoftHSMv2
-   install.
- - Run ./run.sh.
- - If you make any modifications, run ./reset.sh && ./run.sh.
+- Install the [`ceremony`](https://github.com/letsencrypt/boulder/blob/main/cmd/ceremony/README.md) tool in your `$PATH`.
+
+  ```sh
+  go install https://github.com/letsencrypt/boulder/cmd/ceremony
+  ```
+
+- Install [SoftHSMv2](https://github.com/opendnssec/SoftHSMv2).
+
+  ```sh
+  sudo apt install softhsm2
+  ```
+
+- Update the YAML files, if necessary, to reflect that path to your SoftHSMv2
+  install.
+
+- Execute the demo ceremony.
 
-[ceremony]: https://github.com/letsencrypt/boulder/blob/main/cmd/ceremony/README.md
+  ```sh
+  ./reset.sh && ./run.sh`
+  ```

e1-cert.yaml → e5-cert.yaml

@@ -2,20 +2,20 @@ ceremony-type: intermediate
 pkcs11:
   module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
   pin: 1234
-  signing-key-slot: 1094195990
+  signing-key-slot: 1307844626
   signing-key-label: root-x2
 inputs:
   issuer-certificate-path: root-x2.cert.pem
-  public-key-path: int-e1.key.pem
+  public-key-path: int-e5.key.pem
 outputs:
-  certificate-path: int-e1.cert.pem
+  certificate-path: int-e5.cert.pem
 certificate-profile:
   signature-algorithm: ECDSAWithSHA384
-  common-name: Example ECDSA 1
-  organization: Example
+  common-name: (FAKE) E1
+  organization: (FAKE) Let's Encrypt
   country: XX
-  not-before: 2020-09-04 00:00:00
-  not-after: 2025-09-15 16:00:00
+  not-before: 2022-09-07 00:00:00
+  not-after: 2027-09-06 23:59:59
   key-usages:
       - Cert Sign
       - CRL Sign

e1-key.yaml → e5-key.yaml

@@ -2,10 +2,10 @@ ceremony-type: key
 pkcs11:
   module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
   pin: 1234
-  store-key-in-slot: 703725468
-  store-key-with-label: int-e1
+  store-key-in-slot: 732394342
+  store-key-with-label: int-e5
 key:
   type: ecdsa
   ecdsa-curve: P-384
 outputs:
-  public-key-path: int-e1.key.pem
+  public-key-path: int-e5.key.pem

e2-cert.yaml → e6-cert.yaml

@@ -2,20 +2,20 @@ ceremony-type: intermediate
 pkcs11:
   module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
   pin: 1234
-  signing-key-slot: 1094195990
+  signing-key-slot: 1307844626
   signing-key-label: root-x2
 inputs:
   issuer-certificate-path: root-x2.cert.pem
-  public-key-path: int-e2.key.pem
+  public-key-path: int-e6.key.pem
 outputs:
-  certificate-path: int-e2.cert.pem
+  certificate-path: int-e6.cert.pem
 certificate-profile:
   signature-algorithm: ECDSAWithSHA384
-  common-name: Example ECDSA 2
-  organization: Example
+  common-name: (FAKE) E6
+  organization: (FAKE) Let's Encrypt
   country: XX
-  not-before: 2020-09-04 00:00:00
-  not-after: 2025-09-15 16:00:00
+  not-before: 2022-09-07 00:00:00
+  not-after: 2027-09-06 23:59:59
   key-usages:
       - Cert Sign
       - CRL Sign

e2-key.yaml → e6-key.yaml

@@ -2,10 +2,10 @@ ceremony-type: key
 pkcs11:
   module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
   pin: 1234
-  store-key-in-slot: 703725468
-  store-key-with-label: int-e2
+  store-key-in-slot: 732394342
+  store-key-with-label: int-e6
 key:
   type: ecdsa
   ecdsa-curve: P-384
 outputs:
-  public-key-path: int-e2.key.pem
+  public-key-path: int-e6.key.pem

init-softhsm.sh

@@ -1,8 +1,9 @@
 #!/bin/bash -exv
-#
-# This doesn't really need to be run again. I ran it once to set up a SoftHSM
-# directory, but then checked in the SoftHSM files so run.sh can be run
-# repeatedly with the same slot ids.
+
+# This doesn't really need to be run again. It was used to generate the
+# //softhsm/ directory which is checked into this repository, but now that
+# directory can be left untouched while the yaml config files statically
+# reference its pin and slots.
 
 export SOFTHSM2_CONF=$PWD/softhsm2.conf
 echo "directories.tokendir = $PWD/softhsm/" > $SOFTHSM2_CONF

r3-cert.yaml → r7-cert.yaml

@@ -2,20 +2,20 @@ ceremony-type: intermediate
 pkcs11:
   module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
   pin: 1234
-  signing-key-slot: 1094195990
+  signing-key-slot: 1307844626
   signing-key-label: root-x1
 inputs:
   issuer-certificate-path: root-x1.cert.pem
-  public-key-path: int-r3.key.pem
+  public-key-path: int-r7.key.pem
 outputs:
-  certificate-path: int-r3.cert.pem
+  certificate-path: int-r7.cert.pem
 certificate-profile:
   signature-algorithm: SHA256WithRSA
-  common-name: Example RSA 1
-  organization: Example
+  common-name: (FAKE) R7
+  organization: (FAKE) Let's Encrypt
   country: XX
-  not-before: 2020-09-04 00:00:00
-  not-after: 2025-09-15 16:00:00
+  not-before: 2022-09-07 00:00:00
+  not-after: 2027-09-06 23:59:59
   key-usages:
       - Cert Sign
       - CRL Sign

r3-key.yaml → r7-key.yaml

@@ -2,10 +2,10 @@ ceremony-type: key
 pkcs11:
   module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
   pin: 1234
-  store-key-in-slot: 703725468
-  store-key-with-label: int-r3
+  store-key-in-slot: 732394342
+  store-key-with-label: int-r7
 key:
   type: rsa
   rsa-mod-length: 2048
 outputs:
-  public-key-path: int-r3.key.pem
+  public-key-path: int-r7.key.pem

r4-cert.yaml → r8-cert.yaml

@@ -2,20 +2,20 @@ ceremony-type: intermediate
 pkcs11:
   module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
   pin: 1234
-  signing-key-slot: 1094195990
+  signing-key-slot: 1307844626
   signing-key-label: root-x1
 inputs:
   issuer-certificate-path: root-x1.cert.pem
-  public-key-path: int-r4.key.pem
+  public-key-path: int-r8.key.pem
 outputs:
-  certificate-path: int-r4.cert.pem
+  certificate-path: int-r8.cert.pem
 certificate-profile:
   signature-algorithm: SHA256WithRSA
-  common-name: Example RSA 2
-  organization: Example
+  common-name: (FAKE) R8
+  organization: (FAKE) Let's Encrypt
   country: XX
-  not-before: 2020-09-04 00:00:00
-  not-after: 2025-09-15 16:00:00
+  not-before: 2022-09-07 00:00:00
+  not-after: 2027-09-06 23:59:59
   key-usages:
       - Cert Sign
       - CRL Sign

r4-key.yaml → r8-key.yaml

@@ -2,10 +2,10 @@ ceremony-type: key
 pkcs11:
   module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
   pin: 1234
-  store-key-in-slot: 703725468
-  store-key-with-label: int-r4
+  store-key-in-slot: 732394342
+  store-key-with-label: int-r8
 key:
   type: rsa
   rsa-mod-length: 2048
 outputs:
-  public-key-path: int-r4.key.pem
+  public-key-path: int-r8.key.pem

reset.sh

@@ -1,6 +1,6 @@
 #!/bin/bash -exv
 
-rm -f *.pem *.pem.txt
+rm -f *.pem *.txt
 rm -rf softhsm/*
 git reset -- softhsm
 git checkout -- softhsm

root-x1.yaml

@@ -5,7 +5,7 @@ ceremony-type: root
 pkcs11:
   module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
   pin: 1234
-  store-key-in-slot: 1094195990
+  store-key-in-slot: 1307844626
   store-key-with-label: root-x1
 key:
   type: rsa

root-x2.yaml

@@ -2,7 +2,7 @@ ceremony-type: root
 pkcs11:
   module: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
   pin: 1234
-  store-key-in-slot: 1094195990
+  store-key-in-slot: 1307844626
   store-key-with-label: root-x2
 key:
   type: ecdsa
@@ -16,7 +16,7 @@ certificate-profile:
   common-name: (FAKE) ISRG Root X2
   organization: Internet Security Research Group
   country: US
-  not-before: 2020-09-04 00:00:00
+  not-before: 2020-09-07 00:00:00
   not-after: 2040-09-17 16:00:00
   key-usages:
       - Cert Sign