stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
b7fc87893ce74e8df5d0e560bc25dae36fd28da7
git.stella-ops.org/docs/doctor/articles/timestamping/tsa-chain-valid.md
master c58a236d70 Doctor plugin checks: implement health check classes and documentation 
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 12:28:00 +02:00

2.0 KiB
Raw Blame History

checkId, plugin, severity, tags
checkId plugin severity tags
check.timestamp.tsa.chain-valid stellaops.doctor.timestamping fail
timestamping
tsa
certificate
chain
validation

TSA Certificate Chain Validity

What It Checks

Ensures TSA certificate chains are valid and complete. The check:

  • Queries the certificate chain status provider for all configured TSA chains.
  • Validates that each chain is complete (leaf to root) and has no errors.
  • Fails if all chains are invalid. Warns if some chains are invalid.
  • Reports degraded if no chain data is available (provider not configured).

Why It Matters

An incomplete or broken certificate chain means TSA timestamps cannot be verified end-to-end. Relying parties will reject evidence with unverifiable chains, causing compliance audit failures and blocking release promotions. This is a critical-severity check.

Common Causes

  • Missing intermediate certificates
  • Intermediate certificate expired
  • Trust store not updated after CA changes
  • Misconfigured certificate chain ordering

How to Fix

Docker Compose

# Verify chain manually
openssl verify -CAfile /certs/root.pem -untrusted /certs/intermediate.pem /certs/tsa-leaf.pem

# Update chain configuration
docker exec <platform-container> stella tsa chain update --name "Provider" \
  --cert /certs/tsa-leaf.pem --intermediate /certs/intermediate.pem

Bare Metal / systemd

stella tsa chain validate --all
stella tsa chain update --name "Provider" \
  --cert /path/to/leaf.pem --intermediate /path/to/intermediate.pem

Kubernetes / Helm

timestamping:
  chainValidation:
    enabled: true

Update certificate chain secrets:

kubectl create secret generic tsa-chain \
  --from-file=leaf.pem --from-file=intermediate.pem --from-file=root.pem

Verification

stella doctor run --check check.timestamp.tsa.chain-valid

Related Checks

  • check.timestamp.tsa.cert-expiry — checks TSA signing certificate expiry
  • check.timestamp.tsa.root-expiry — checks TSA root certificate expiry