minor fix due to renderer issues

Previously, the startup and certificate provisioning logic assumed a single CAPIF instance and stored certificates from fixed Vault paths, which caused collisions when deploying more than one instance using a common Vault.

With this change:

- Certificates and keys are now **generated at the service level** (e.g., NGINX generates it's own key and CSR locally).

- Vault is now used only as a **signing authority (CA)** to sign incoming CSRs and to store the resulting artifacts, avoiding Vault-specific instance coupling and enabling the same Vault to serve other CAPIF deployments.

- A **unique CCF identifier (ccf_id)** is used as the namespace key to store and retrieve CAPIF certificates.

### Previous Architecture

In the previous implementation, Vault was responsible for:

- Generating the root CA and intermediate CA

- **Generating** service certificates

- Storing and distributing certificates

**Problems:**

- Vault generated service certificates (less secure)

- Difficult scalability for multiple CAPIF instances

- Strong coupling between Vault and each CAPIF instance

```

**Benefits:**

- ✅ Enhanced security: each service generates its own private key

- ✅ Scalability: one Vault serves multiple CAPIF instances

- ✅ Isolation: certificates organized by CCF_ID

### 1. Vault (`services/vault/vault_prepare_certs.sh`)

**Main changes:**

- No longer **generates** service certificates, only PKI infrastructure

- Generates only root CA and intermediate CA

- Configures PKI signing endpoint at `/v1/pki_int/sign/my-ca`

**New primary certificate generation component:**

Implemented flow:

1. Fetches CA certificate from Vault (`secret/ca`)

2. Generates its own private key (`server.key`) if it doesn't exist

3. Creates a CSR (Certificate Signing Request) with CAPIF hostname

### 3. Register (`services/register/register_prepare.sh`)

**Similar pattern to NGINX:**

- Generates its own private key (`register_key.key`)

- Creates CSR with complete organization information

- Obtains CA from Vault

### 4. Helper Service (`services/helper/helper_service/app.py`)

**Modifications at application startup:**

- Creates a dedicated `certs/` directory with restrictive permissions

- Generates key pair and CSR for superadmin certificate using pyOpenSSL

- Saves private key locally with 600 permissions

**Modified `prepare_*.sh` scripts:**

New consumption pattern (no longer generate certificates):

1. Query Helper to obtain CAPIF instance's CCF_ID

2. Retrieve server's public key from Vault using path `secret/capif/${CCF_ID}/nginx`

3. Save public key to local location

4. Implement robust retries to wait for NGINX to generate and store certificates

**Affected files:**

- `prepare_invoker.sh`

- `prepare_provider.sh`

- `prepare_security.sh`

### KV (Key-Value v2) Structure

**Root level:**

- `secret/ca`: Stores intermediate CA certificate (accessible by all CAPIF instances)

**Per-CAPIF level:**

- `secret/capif/<CCF_ID>/nginx/`: Contains certificates for each CAPIF instance

  - `server_crt`: Server certificate

  - `server_key`: Server private key

### PKI Endpoints

**Root PKI Engine (`pki/`):**

- `root/generate/internal`: Generates root CA

- `config/urls`: Configures issuance and CRL URLs

- `root/sign-intermediate`: Signs intermediate CA

**Intermediate PKI Engine (`pki_int/`):**

- `intermediate/generate/internal`: Generates intermediate CA CSR

- `intermediate/set-signed`: Installs signed intermediate certificate

- `roles/my-ca`: Defines signing role with its policies

### 1. Vault Initialization

**Execute once per Vault cluster:**

- In Docker: run `vault_prepare_certs.sh` script

- In Kubernetes: apply ConfigMap and Job from `helm/vault-job/vault-job.yaml`

**Expected result:**

- ✅ Root CA generated

- ✅ Intermediate CA generated and signed

- ✅ `my-ca` role configured

1. **Helper starts** → Generates unique CCF_ID

2. **NGINX starts:**

   - Generates `server.key` and `server.csr`

   - Requests signing from Vault

   - Receives `server.crt`

   - Stores in `secret/capif/${CCF_ID}/nginx`

3. **Register starts:**

   - Generates registration certificate

   - Requests signing from Vault

4. **API Services start:**

   - Retrieve certificates from Vault using CCF_ID

   - Use public key for validation

The `helm/vault-job/vault-job.yaml` file has been significantly simplified:

**Main changes:**

- ❌ No longer generates certificates for specific services

- ✅ Only executes basic PKI setup (Root CA, Intermediate CA, signing role)

- ✅ Lighter: 144 lines removed

**Changes in `services/docker-compose-capif.yml`:**

**NGINX:**

- No longer mounts external certificate volumes

- Certificates are generated dynamically in `/etc/nginx/certs` at startup

- New environment variables: `VAULT_HOSTNAME`, `VAULT_PORT`, `VAULT_ACCESS_TOKEN`, `CAPIF_HOSTNAME`

**Helper:**

- Manages its own certificate directory internally

- `certs/` directory is automatically created by `app.py` at startup

- No longer requires external volumes for certificates

### Modified Files (Branch OCF182-certs-generation)

- [`services/vault/vault_prepare_certs.sh`](../services/vault/vault_prepare_certs.sh) - PKI Setup

- [`services/nginx/nginx_prepare.sh`](../services/nginx/nginx_prepare.sh) - NGINX certs generation

- [`services/register/register_prepare.sh`](../services/register/register_prepare.sh) - Register certs generation

- [`services/helper/helper_service/app.py`](../services/helper/helper_service/app.py) - Superadmin cert generation

- [`services/TS29222_CAPIF_API_Invoker_Management_API/prepare_invoker.sh`](../services/TS29222_CAPIF_API_Invoker_Management_API/prepare_invoker.sh) - Cert consumption

- [`services/TS29222_CAPIF_API_Provider_Management_API/prepare_provider.sh`](../services/TS29222_CAPIF_API_Provider_Management_API/prepare_provider.sh) - Cert consumption

- [`services/TS29222_CAPIF_Security_API/prepare_security.sh`](../services/TS29222_CAPIF_Security_API/prepare_security.sh) - Cert consumption

- [`helm/vault-job/vault-job.yaml`](../helm/vault-job/vault-job.yaml) - Kubernetes Job

- [`services/docker-compose-capif.yml`](../services/docker-compose-capif.yml) - Docker Configuration

- [`services/vault/vault_prepare_certs.sh`](https://labs.etsi.org/rep/ocf/capif/-/blob/staging/services/vault/vault_prepare_certs.sh) - PKI Setup

- [`services/nginx/nginx_prepare.sh`](https://labs.etsi.org/rep/ocf/capif/-/blob/staging/services/nginx/nginx_prepare.sh) - NGINX certs generation

- [`services/register/register_prepare.sh`](https://labs.etsi.org/rep/ocf/capif/-/blob/staging/services/register/register_prepare.sh) - Register certs generation

- [`services/helper/helper_service/app.py`](https://labs.etsi.org/rep/ocf/capif/-/blob/staging/services/helper/helper_service/app.py) - Superadmin cert generation

- [`services/TS29222_CAPIF_API_Invoker_Management_API/prepare_invoker.sh`](https://labs.etsi.org/rep/ocf/capif/-/blob/staging/services/TS29222_CAPIF_API_Invoker_Management_API/prepare_invoker.sh) - Cert consumption

- [`services/TS29222_CAPIF_API_Provider_Management_API/prepare_provider.sh`](https://labs.etsi.org/rep/ocf/capif/-/blob/staging/services/TS29222_CAPIF_API_Provider_Management_API/prepare_provider.sh) - Cert consumption

- [`services/TS29222_CAPIF_Security_API/prepare_security.sh`](https://labs.etsi.org/rep/ocf/capif/-/blob/staging/services/TS29222_CAPIF_Security_API/prepare_security.sh) - Cert consumption

- [`helm/vault-job/vault-job.yaml`](https://labs.etsi.org/rep/ocf/capif/-/blob/staging/helm/vault-job/vault-job.yaml) - Kubernetes Job

- [`services/docker-compose-capif.yml`](https://labs.etsi.org/rep/ocf/capif/-/blob/staging/services/docker-compose-capif.yml) - Docker Configuration

### Related Documentation