Skip to content

Implement Persistent, Auto-Renewing Local CA PKI#183

Open
tyronechrisharris wants to merge 112 commits intoopensensorhub:masterfrom
tyronechrisharris:jules-sync-23412011801
Open

Implement Persistent, Auto-Renewing Local CA PKI#183
tyronechrisharris wants to merge 112 commits intoopensensorhub:masterfrom
tyronechrisharris:jules-sync-23412011801

Conversation

@tyronechrisharris
Copy link
Copy Markdown

@tyronechrisharris tyronechrisharris commented Mar 22, 2026
edited
Loading

This PR transitions the system from an ephemeral Root CA (where the private key was destroyed after leaf generation) to a Persistent Local CA architecture.

Key changes include:

  1. Refactored Utility: EphemeralCAUtility.java is now LocalCAUtility.java.
  2. Persistence: The Root CA private key is now securely stored in osh-keystore.p12 under the alias root-ca. It is encrypted using the auto-generated password in .app_secrets.
  3. Automated Renewal: SensorHubWrapper now calls LocalCAUtility.checkAndRenewCertificates() on every boot. If the jetty leaf certificate is within 30 days of expiration, it is automatically regenerated and signed by the persistent Root CA.
  4. Lifespan Changes: Root CA now has a 20-year lifespan to minimize manual trust-store updates for operators. Leaf certificates remain at 1 year.
  5. Centralized Management: Launch scripts no longer manually call the CA utility; all certificate lifecycle management is now handled within the Java application's startup sequence.
  6. Documentation: Architecture wikis have been updated to reflect the new persistent PKI and automated renewal logic as per AI_CONTRIBUTING_RULES.md.

Verification:

  • Added LocalCAUtilityTest.java to verify initial generation and lifespan logic.
  • Verified compilation and test pass via ./gradlew :security-utils:test.
  • Manual inspection of launch.sh and launch.bat confirm removal of obsolete generation steps.

Fixes #63

PR created automatically by Jules for task 8825928146862250262 started by @tyronechrisharris

🔄 Auto-Distributed via Sync

Original Flat Repo PR: tyronechrisharris/oscar-flat#64

🔗 Related Updates in this Sync:

mdhsl and others added 30 commits September 24, 2025 18:14
@mdhsl
Update driver to use validTime for feature as a specific column as ts…
4f9843a 
…range indexed column; fix system serialization/deserialization
@mdhsl
Remove useless classes
b0db77c
@mdhsl
Fix wrong selectLastVersionByUidQuery() function for system
bc8fb87
@mdhsl
Do not insert a new system if it already exists: check the uniqueId
31da427
@mdhsl
Fix datastream issues with validTime
c7f91de
@mdhsl
Fix datastreams validTime
4c90585
@mdhsl
Fix issue with non thread safe batchPrepareStatement object; improve …
2cc3779 
…batch mode
@mdhsl
Add FoiFilter to filter Obs and fix PostgisFeature unit tests
3de0277
@mdhsl
Increase timeout and connection max life time
5d47070
@mdhsl
Update driver to use validTime for feature as a specific column as ts…
1b76079 
…range indexed column; fix system serialization/deserialization
@mdhsl
Remove useless classes
d7f2e4e
@mdhsl
Fix wrong selectLastVersionByUidQuery() function for system
f1f1d1c
@mdhsl
Do not insert a new system if it already exists: check the uniqueId
c98b862
@mdhsl
Fix datastream issues with validTime
21e2f9e
@mdhsl
Fix datastreams validTime
ec0a20b
@mdhsl
Fix issue with non thread safe batchPrepareStatement object; improve …
7412f03 
…batch mode
@mdhsl
Add FoiFilter to filter Obs and fix PostgisFeature unit tests
18ff4f5
@mdhsl
Increase timeout and connection max life time
925d872
@earocorn
Update command status serialization for osh-core changes and add inli…
6877aba 
…ne records serialization
@mdhsl
Merge pull request opensensorhub#125 from earocorn/cmd-status-seriali…
94ac11f 
…zation

Update command status serialization for osh-core changes and add inli…
@mdhsl
Fix BigId due to osh-core changes on command API
73d0eb7
@mdhsl
Fix merge
87d4828
@mdhsl
Use config to specify batch mode
2777dd8
@mdhsl
Clear the ThreadSafeBatchExecutor after closing connection
b2b8688
@mdhsl
Fix drop() into Postgis store add Add support for streaming into Feat…
4d41300 
…ureDatabase
@mdhsl
Centralize the use of JDBC connection; add streaming data for OBS, FE…
30f8565 
…ATURE and command; fix blocking connection while executing a DROP request; improve the use of batch
@mdhsl
Add support of obsFilter for FOI queries
cda8bde
@mdhsl
Speed up the batch mode by using addBatch for Feature
9313123
@mdhsl
Change logic when using InnerJoin to add condition directly after the…
a1c9cdd 
… Join instead at the end using WHERE
@mdhsl
Add support for batch removing into obs table; Use validTime into Foi…
6c96e76 
… query to select corresponding query
earocorn and others added 26 commits November 21, 2025 11:03
@earocorn
Upgrade connection pool size to 50. Fix system valid time filter
918a820
@earocorn
Synchronize on all add/put/remove. Query DataStream time ranges in se…
2e45f6c 
…lectEntries
@earocorn
Fix value predicate paging
9cb8030
@earocorn
Remove synchronized methods
754b97e
@earocorn
Use JSONB for obs table and reorder upon deserialization
e9334f9
@earocorn
Remove limit cap when using val predicate
8c41a2d
@earocorn
Add includeMembers filter to UID query
d83e097
@earocorn
Merge master into fix-postgis-commands
aeb59e6
@earocorn
Use cursor-based pagination with phenomenonTime on obs
347b1e0
@earocorn
Fix issue with AsynchronousSocketChannel on Windows
294fdfa
@earocorn
Synchronize and null check in FFmpeg transcoding
81d14db
@earocorn
Update datastream time ranges to use a SQL TRIGGER
915f21c
@earocorn
Add Hikari config
91aa4a9
@earocorn
Add CQL filter to postgis obs store
c6ea923
@earocorn
Update CQL to use @> operator, as well as observed property filter
92235ef
@earocorn
revert datastream query to use jsonb_path_exists
d0846a0
@earocorn
Link obs store to system store
448b993
@earocorn
Revert to ObsIteratorResultSet and fix some query filters
a0b73ee
@earocorn
Revert put() to use update statement
d406d62
@earocorn
Use pgtimestamp instead of date for times
a359156
@earocorn
Limit 1 for select last ID query
56d48bc
@earocorn
Add descending order param to obs queries
fb0e755
@earocorn
Increase socket timeout to 5 minutes
ce66c7f
@earocorn
Fix bug where Vector not serialized properly
1a5fde5
@earocorn
Reduce pool size to 20
c26e214
@github-actions
Auto-sync updates: Implement Persistent, Auto-Renewing Local CA PKI
f1caa60
This was referenced Mar 22, 2026
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@tyronechrisharris @mdhsl @earocorn @BillBrown341 @alexrobin