...
It is crucial to have a trust anchor for all issued client certificates which is stable on the long-term. To that end, an offline hardware-backed CA is provisioned and kept in a physically safe position in GEANT property (TBD: where exactly is it stored, access controls to physical location). The CA itself is created with the CA generation script publicly available on GitHub.
CA operations are performed on the (TBD: project-procured ) Raspberry Pi 3. The Pi needs the following preparatory actions:
...