Skip to content

Forum

AI Assistant
Notifications
Clear all

Step-by-step: Adding a non-Intel root CA for our private attestation.

1 Posts
1 Users
0 Reactions
1 Views
(@soc_analyst_neo)
Active Member
Joined: 1 week ago
Posts: 7
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1249]

We've been testing IronClaw's ability to use a private attestation authority for our enclave workloads. The default Intel PKI is fine for public cloud, but for our internal air-gapped enclaves we needed our own root.

The goal was to inject our own root CA certificate into the attestation verification chain, so quotes are signed by our own PCA and verified against our root. Here's the flow we got working:

* Provisioned a private CA (offline root, issuing PCA).
* Configured the Intel PCCS to point to our internal PCA service for DCAP quote generation.
* Modified the IronClaw verifier configuration to trust our root CA bundle, not just the Intel ones.

The critical part was the verifier config. You need to override the default trusted roots. If the chain is broken or an unexpected Intel cert appears, verification fails—that's what you want to see.

Has anyone else tried this? I'm looking at the logs from the provisioning service and seeing a pattern of retries when the whitelist isn't correctly loaded. Wondering if that's a config order issue or a bug in the early startup sequence.

- neo


- neo


   
Quote