Doctor plugin checks: implement health check classes and documentation
Implement remediation-aware health checks across all Doctor plugin modules (Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment, EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release, Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation, Authority, Core, Cryptography, Database, Docker, Integration, Notify, Observability, Security, ServiceGraph, Sources, Verification). Each check now emits structured remediation metadata (severity, category, runbook links, and fix suggestions) consumed by the Doctor dashboard remediation panel. Also adds: - docs/doctor/articles/ knowledge base for check explanations - Advisory AI search seed and allowlist updates for doctor content - Sprint plan for doctor checks documentation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
66
docs/doctor/articles/timestamping/tsa-cert-expiry.md
Normal file
66
docs/doctor/articles/timestamping/tsa-cert-expiry.md
Normal file
@@ -0,0 +1,66 @@
|
||||
---
|
||||
checkId: check.timestamp.tsa.cert-expiry
|
||||
plugin: stellaops.doctor.timestamping
|
||||
severity: warn
|
||||
tags: [timestamping, tsa, certificate, expiry]
|
||||
---
|
||||
# TSA Certificate Expiry
|
||||
|
||||
## What It Checks
|
||||
Checks if TSA signing certificates are approaching expiry. The check:
|
||||
|
||||
- Evaluates each certificate in the `TsaCertificates` configuration list.
|
||||
- Calculates days remaining until expiry.
|
||||
- **Fails** (unhealthy) if any certificate is expired or within the critical threshold (default 90 days).
|
||||
- **Warns** (degraded) if within the warning threshold (default 180 days).
|
||||
- Passes if all certificates have sufficient validity remaining.
|
||||
|
||||
## Why It Matters
|
||||
An expired TSA signing certificate means new timestamps cannot be validated by relying parties. Evidence signed with an expired certificate may be rejected during compliance audits. Early warning gives operators time to coordinate certificate renewal with the TSA provider before any disruption.
|
||||
|
||||
## Common Causes
|
||||
- TSA provider certificate approaching natural end-of-life
|
||||
- Certificate renewal not tracked or scheduled
|
||||
- Using a short-lived certificate without automated renewal
|
||||
|
||||
## How to Fix
|
||||
|
||||
### Docker Compose
|
||||
Update the certificate configuration when renewed certificates are obtained from the TSA provider:
|
||||
|
||||
```yaml
|
||||
environment:
|
||||
Timestamping__TsaCertificates__0__Name: "DigiCert TSA"
|
||||
Timestamping__TsaCertificates__0__Subject: "CN=DigiCert TSA"
|
||||
Timestamping__TsaCertificates__0__ExpiresAt: "2027-01-15T00:00:00Z"
|
||||
```
|
||||
|
||||
### Bare Metal / systemd
|
||||
Contact the TSA provider to obtain renewed certificates and update the trust configuration:
|
||||
|
||||
```bash
|
||||
stella tsa cert update --name "DigiCert TSA" --cert /path/to/new-cert.pem
|
||||
```
|
||||
|
||||
### Kubernetes / Helm
|
||||
```yaml
|
||||
timestamping:
|
||||
certificates:
|
||||
warnDays: 180
|
||||
criticalDays: 90
|
||||
```
|
||||
|
||||
Update Kubernetes secrets when new certificates are obtained:
|
||||
```bash
|
||||
kubectl create secret generic tsa-certs --from-file=cert.pem=/path/to/new-cert.pem --dry-run=client -o yaml | kubectl apply -f -
|
||||
```
|
||||
|
||||
## Verification
|
||||
```
|
||||
stella doctor run --check check.timestamp.tsa.cert-expiry
|
||||
```
|
||||
|
||||
## Related Checks
|
||||
- `check.timestamp.tsa.root-expiry` — checks TSA root/trust anchor certificate expiry
|
||||
- `check.timestamp.tsa.chain-valid` — validates TSA certificate chain integrity
|
||||
- `check.timestamp.tsa.valid-response` — verifies TSA returns valid timestamp tokens
|
||||
Reference in New Issue
Block a user