SecureTransport Research Project - Parts 1 - 6

A research prototype messaging system exploring practical solutions to operational challenges in modern cryptographic infrastructure including evolution to post-quantum cryptography and automated short life rotation for certificates - both Intermediate and Leaf with zero service downtime.

• Note The initial draft of each of these blogs were generated using Claude Sonnet 4.5 within Copilot given a requested outline. It had access to all of the project code and scripts. This draft was then manually editted and specific sections were requested to be revised based upon manual review.

Series Overview

This multi-part series covers:

Part 1: Overview

A research prototype demonstrating automated Intermediate CA certificate rotation and high-frequency post-quantum key management in Kubernetes. Addresses the operational crisis of moving from yearly to hourly certificate rotation while implementing zero-trust architectures and PQC algorithms—validated under realistic message loads with zero-downtime guarantees.

Part 2: Installation

Provides the deployment instructions, requirements and background understanding how to deploy the Secure Transport research prototype

Part 3: Service Authorization

Deep dive into the cryptographic authorization model: how services-acl-configmap defines permissions, how ServiceBundles package cryptographic material with embedded authorization, and how Kyber-based key exchange securely delivers bundles to services.

Part 4: Automated CA Certificate Rotation

Deep dive into automated Intermediate CA Bundle Rotation: epoch-driven timing with CaEpochUtil, three-tier orchestration (Metadata generation, Watcher SIGHUP coordination, client reloads), zero-downtime certificate updates, and cryptographic guarantees for post-quantum readiness.

Part 5: OpenBao Integration via Agent Sidecar

Deep dive into OpenBao integration: AppRole authentication with Agent sidecar, automatic token management, cert-manager TLS certificate issuance, secret storage and retrieval, and automatic secret-id rotation. Explores the complete lifecycle from Kubernetes configuration to application-level vault access.

Part 6: SignedMessage Protocol

Deep dive into the SignedMessage protocol: end-to-end message authentication and encryption using Dilithium signatures, AES-GCM-256 with HKDF key derivation, epoch-based key management, and cryptographic enforcement of authorization. Explores message creation, encryption, signature generation, decryption, and verification flows with automatic ServiceBundle recovery from OpenBao.