rdkcentral · Sidsohail · Apr 22, 2026 · Apr 1, 2026 · Apr 1, 2026 · Apr 2, 2026
@@ -8,6 +8,8 @@ services:
       - "50051:50051"
       - "50052:50052"
       - "50053:50053"
+      - "50054:50054"
+      - "50055:50055"  # RDK-61060: XPKI Certifier
       - "50056:50056"
       - "50057:50057"
       - "50058:50058"
@@ -16,7 +18,7 @@ services:
     volumes:
       - ../:/mnt/L2_CONTAINER_SHARED_VOLUME
     environment:
-      - ENABLE_MTLS=true    
+      - ENABLE_MTLS=true
 
 
   l2-container:

@@ -93,13 +93,18 @@ RUN chmod +x /usr/local/bin/stbLogUpload.js
 COPY crashUpload.js /usr/local/bin/crashUpload.js
 RUN chmod +x /usr/local/bin/crashUpload.js
 
+# RDK-61060: XPKI Certifier service
+COPY xpki-certifier.js /usr/local/bin/xpki-certifier.js
+RUN chmod +x /usr/local/bin/xpki-certifier.js
+
 CMD ["/usr/local/bin/entrypoint.sh"]
 
 EXPOSE 50050
 EXPOSE 50051
 EXPOSE 50052
 EXPOSE 50053
 EXPOSE 50054
+EXPOSE 50055
 EXPOSE 50056
 EXPOSE 50057
 EXPOSE 50058

@@ -1,4 +1,5 @@
 #!/bin/sh
+echo "[certs.sh] Starting certificate generation..."
 set -e
 
 ##########################################################################
@@ -60,6 +61,7 @@ mkdir -p "$SHARED_CERTS_DIR/server"
 
 # Copy the server certificates to the xconf certs directory
 cp "$SERVER_KEY" /etc/xconf/certs/mock-xconf-server-key.pem
+chmod 600 /etc/xconf/certs/mock-xconf-server-key.pem
 cp "$SERVER_CERT" /etc/xconf/certs/mock-xconf-server-cert.pem
 echo "[certs] Server certificates generated and copied to /etc/xconf/certs"
 
@@ -68,6 +70,47 @@ cp "$ROOT_CA_CERT" "$SHARED_CERTS_DIR/server/root_ca.pem"
 cp "$ICA_CERT" "$SHARED_CERTS_DIR/server/intermediate_ca.pem"
 echo "[certs] Server root and intermediate CA certificates copied to shared volume for native-platform"
 
+# ─── RDK-61060: Generate Seed Certificate using Server ICA ───────────────────
+# NOTE: This MUST run BEFORE the mTLS wait so that xpki-certifier.js can start
+# Use Test-RDK-server-ICA to sign seed cert (simpler than dual PKI hierarchy)
+# Per architecture: mock-xconf generates seed, exports to shared volume
+
+echo "[certs] Generating seed certificate using Test-RDK-server-ICA..."
+
+# Setup xpki-certifier.js directories
+XPKI_DIR="/etc/xconf/xpki-certs"
+SEED_CERT_DIR="$SHARED_CERTS_DIR/client"
+mkdir -p "$XPKI_DIR" "$SEED_CERT_DIR"
+
+# Copy server ICA for xpki-certifier.js (to sign operational certs)
+cp "/etc/pki/${ROOT_CA_NAME}/${ICA_NAME}/private/${ICA_NAME}.key" "$XPKI_DIR/Test-RDK-xpki-ICA.key"
+cp "$ICA_CERT" "$XPKI_DIR/Test-RDK-xpki-ICA.pem"
+cp "$ROOT_CA_CERT" "$XPKI_DIR/Test-RDK-xpki-root.pem"
+chmod 600 "$XPKI_DIR/Test-RDK-xpki-ICA.key"
+
+# Generate seed cert using rdk-cert-config (unified PKI - no separate xpki-root)
+/etc/pki/scripts/create_leaf_cert.sh \
+    --cert-name "test-seed-device-001" \
+    --ca-name "$ICA_NAME" \
+    --cn "test-seed-device-001" \
+    --validity 30 \
+    --type client
+
+# Export seed cert to shared volume for native-platform
+SEED_KEY="/etc/pki/${ROOT_CA_NAME}/${ICA_NAME}/private/test-seed-device-001.key"
+SEED_CERT="/etc/pki/${ROOT_CA_NAME}/${ICA_NAME}/certs/test-seed-device-001.pem"
+SEED_P12="/etc/pki/${ROOT_CA_NAME}/${ICA_NAME}/certs/test-seed-device-001.p12"
+
+cp "$SEED_KEY" "$SEED_CERT_DIR/seed-cert.key"
+cp "$SEED_CERT" "$SEED_CERT_DIR/seed-cert.pem"
+cp "$SEED_P12" "$SEED_CERT_DIR/seed-cert.p12"
+
+chmod 644 "$SEED_CERT_DIR/seed-cert.pem" "$SEED_CERT_DIR/seed-cert.p12"
+chmod 600 "$SEED_CERT_DIR/seed-cert.key"
+
+echo "[certs] ✓ Seed certificate generated and exported to shared volume"
+echo "[certs] ✓ xPKI Certifier configured (uses Test-RDK-server-ICA)"
+
 # If mTLS is enabled at startup, wait for client certificates
 if [ "$ENABLE_MTLS" = "true" ]; then
     echo "[certs] mTLS enabled - waiting for client certificates..."
@@ -83,6 +126,13 @@ if [ "$ENABLE_MTLS" = "true" ]; then
     # Import client CA chain to trust store and clean it up from shared volume
     cp "$SHARED_CERTS_DIR/client/ca-chain.pem" /etc/xconf/trust-store/ca-chain.pem
     rm -f "$SHARED_CERTS_DIR/client/ca-chain.pem"
+    # Operational certs are signed by Test-RDK-server-ICA which has a DIFFERENT root
+    # than the client certificates, so we need the complete server chain
+    if [ -f "$SHARED_CERTS_DIR/server/intermediate_ca.pem" ] && [ -f "$SHARED_CERTS_DIR/server/root_ca.pem" ]; then
+        cat "$SHARED_CERTS_DIR/server/intermediate_ca.pem" >> /etc/xconf/trust-store/ca-chain.pem
+        cat "$SHARED_CERTS_DIR/server/root_ca.pem" >> /etc/xconf/trust-store/ca-chain.pem
+        echo "[certs] Server CA chain (ICA + root) appended to trust store for operational certificates"
+    fi
     echo "[certs] Client CA chain imported to trust store"
     echo "[certs] mTLS certificate trust flow established"
 fi

@@ -49,5 +49,17 @@ node /usr/local/bin/stbLogUpload.js &
 
 node /usr/local/bin/crashUpload.js &
 
+## RDK-61060: Start XPKI Certifier service (port 50055)
+echo "[entrypoint] DEBUG: Checking xpki-certifier.js file..."
+if [ -f /usr/local/bin/xpki-certifier.js ]; then
+	echo "[entrypoint] xpki-certifier.js found, starting service..."
+	node /usr/local/bin/xpki-certifier.js &
+	XPKI_PID=$!
+	echo "[entrypoint] xpki-certifier started (PID: $XPKI_PID) on port 50055"
+else
+	echo "[entrypoint] ERROR: /usr/local/bin/xpki-certifier.js NOT FOUND - xpki service will not start"
+	ls -la /usr/local/bin/xpki* || echo "No xpki files in /usr/local/bin"
+fi
+
 ## Keep the container running . Running an independent process will help in simulating scenarios of webservices going down and coming up
 while true ; do echo "Mocked webservice heartbeat ..." && sleep 5 ; done