...
After following all these, some amount of fine-tuning in the config files is needed. Most items are self-explanatory; specific documentation to be added here for neuralgic spots.
The development team will provide the initial and production-ready product configuration.
eduroam Managed IdP Client Certificate Root CA
...
The scripts require at least openssl 1.1.0.
Info |
---|
IMPORTANT: adapt the settings/openssl-rsa.cnf and settings/openssl-ecdsa.cnf settings before issuing the CA. In particular:
|
Info |
---|
In the generation scripts themselves, change the following parameters:
need to point to the future URL of the CRL/OCSP Responder. |
The script
CA.bootstrapNewRootCA
will generate TWO CAs, one with RSA/4096 bit keys, one with ECDSA/NIST P-521 keys. The latter one is future-proofing.
Info |
---|
You are prompted for the CA password interactively on the keyboard. TBD: who has the password, how is it stored, how is long-term accessibility ensured. |
Afterwards, edit again settings/openssl-rsa.cnf and settings/openssl-ecdsa.cnf settings with new URLs for the intermediate (Issuing) CA.
...
Technology | Certificate | Contains Private Key? | CRL | OCSP | Needed where? |
---|---|---|---|---|---|
RSA | ROOT-RSA/cacert.pem | ROOT-RSA/crl.der // ROOT-RSA/crl.pem | ROOT-RSA/OCSP/<serial>.response.der | RADIUS servers: trust root for chain validation | |
ROOT-RSA/certs/N.N./cert-rsa.pem | X | RADIUS servers: trust chain building (certificate only) web interface: certificate and OCSP issuance (certificate + private key) | |||
ECDSA | ROOT-ECDSA/cacert.pem | ROOT-ECDSA/crl.der // ROOT-ECDSA/crl.pem | ROOT-RSA/OCSP/<serial>.response.der | RADIUS servers: trust root for chain validation | |
ROOT-ECDSA/certs/N.N./cert-ecdsa.pem | X | RADIUS servers: trust chain building (certificate only) web interface: certificate and OCSP issuance (certificate + private key) |
All of these files, but no others, are copied out of the CA environment for further use in operations (e.g. onto a USB stick).
...
eduroam Managed IdP includes multiple components which need to interwork correctly for the service as a whole to work. The following external dependencies between the components exist
eduroam Managed IdP web frontend → OCSP responder
- issues OCSP statements for each of the certificates known to the system, using a cron job. See documentation on GitHub above. Make sure the cron job is running and verify that updated statements end up in the correct directory on the OCSP responder.
eduroam Managed IdP RADIUS Server → OCSP responder
- makes request at OCSP responder during every user authentication. Make sure the HTTP communication between RADIUS server and OCSP Responder is possible.