Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

It is crucial to have a trust anchor for all issued client certificates which is stable on the long-term. To that end, an offline hardware-backed CA is provisioned and kept in a physically safe position in GEANT property (TBD: where exactly is it stored, access controls to physical location). The CA itself is created with the CA generation script publicly available on GitHub.The scripts require at least openssl 1.1.0, i.e. Raspian Stretch or higher

CA operations are performed on the (TBD: procured) Raspberry Pi 3. The Pi needs the following preparatory actions:

  • install Raspian Stretch (or higher); required for having openssl 1.1+
  • install the package rng-tools (provides access to the built-in hardware random number generator under /dev/hwrng)
  • set the date and time (Raspberry Pi does not have a built-in clock)
  • after installing all needed packages, remove the Pi from the network and never connect it again.


Info

IMPORTANT: adapt the settings/openssl-rsa.cnf  and settings/openssl-ecdsa.cnf settings before issuing the CA. In particular:

  • crlDistributionPoints
  • caIssuers;URI.0
  • OCSP;URI.0

...