# `Condukt.Sandbox.NetworkPolicy.CA`
[🔗](https://github.com/tuist/condukt/blob/1.5.1/lib/condukt/sandbox/network_policy/ca.ex#L1)

Per-session ephemeral Certificate Authority used by the egress sidecar
for TLS interception.

A CA is a self-signed root that the egress sidecar uses to mint per-host
leaf certificates on the fly when intercepting TLS connections. The
workspace image must trust this CA at session start for the handshake
to succeed; if it does not, the request fails with a
`tls_handshake_failed` event.

## Lifecycle

One CA is generated per session at pod creation:

    {:ok, ca} = Condukt.Sandbox.NetworkPolicy.CA.generate(common_name: "session-abc")
    ca.cert_pem  # mounted as a K8s Secret to the sidecar
    ca.key_pem   # mounted as a K8s Secret to the sidecar
    ca.cert_pem  # also mounted (read-only) to the workspace at /etc/condukt/ca.pem

When the session ends, the K8s Secret is deleted along with the pod, so
the CA's blast radius is bounded by the session.

## Cryptographic choices

Defaults are:

  * Elliptic curve P-256 (prime256v1). Faster than RSA, broadly supported,
    and the standard for short-lived certs.
  * Validity period: 24 hours, with a 1 hour pre-skew to absorb pod-vs-host
    clock drift.
  * Common name: a caller-supplied string, typically the session id.

Custom defaults can be overridden via opts but the defaults match what the
Kubernetes sandbox sets at session start.

# `generate`

Generates a fresh per-session CA.

Options:

  * `:common_name` — string put in the Subject CN. Required.
  * `:validity_hours` — total validity in hours, default `24`.
  * `:skew_hours` — pre-skew applied to NotBefore (and post-skew on
    NotAfter) in hours, default `1`. Absorbs clock drift between
    Condukt's host and the K8s pod.
  * `:organization` — Subject Organization, default `"Condukt"`.

# `trust_bundle`

Returns a PEM-encoded CA bundle suitable for mounting at
`/etc/ssl/certs/ca-certificates.crt` and `/etc/ssl/cert.pem` on the
workspace container.

The bundle is the Mozilla / curl.se public root list (shipped under
`priv/ca-certificates/mozilla.pem`) with the per-session CA
appended. Any tool that reads the well-known bundle paths or
honours `SSL_CERT_FILE` ends up trusting both the public Internet
and the egress sidecar's leaf certs without the workspace image
needing any preparation.

---

*Consult [api-reference.md](api-reference.md) for complete listing*