I’m using staging server (aka Happy Hacker CA) to get certs for our staging environment. I would like to monitor them (we have valid certs on our staging platform), and not use production CA for this.
For our current certs, we use a custom CA that we import in the browser and in the CA store on the server. Is it possible to get the Happy Hacker CA somewhere to import it? I looked at the boulder directory in the letsencrypt githup repo, but it doesn’t seem to be the same CA
Thanks in advance for your help,
You can obtain it from http://cert.staging-x1.letsencrypt.org/ in DER format. That said, the Happy Hacker signing key for the staging network is in no way protected, it’s in fact distributed with Boulder’s source code, so beware.
I know there are plans to generate a new staging cert chain (with intermediates) so that staging can submit to test CT logs, but I don’t believe it’s a high priority.
Thank you very much jcjones, this is exactly what I needed.
We’ll update our process if the staging cert chain change.
It sounds like you’re doing the right thing: Importing the CA cert for staging into a browser that is only used for CI testing.
Just to be clear for anyone else visiting this thread: Do not import the staging CA into any browser you actually use to surf the web. It will allow anyone to trivially MITM you.