Recording
PlayBook
Key data
Key types:
- RSA 4096bit
- ECC 384bits
Key Subjects:
- O=GEANT, CN=eduGAIN RSA Signer CA 2022
- O=GEANT, CN=eduGAIN ECC Signer CA 2022
Keys duration:
- 20 Years
Key generation
- Prepare key storage computer for use.
- Connect and verify RNG.
- Use the RNG to create and set a static password in the two yubikeys.
- Generate RSA 4096 bits and ECC 384 bits keypairs , encrypt using yubikey in static mode.
- Decrypt RSA private key using yubikey in static mode, temporarily stored in /dev/shm.
- Issue self-signed certificate using keypair.
- Copy the keys to two USB sticks.
- Generate sha1 and sha256 fingerprint of certificate.
- Copy the RSA certificate to a USB stick and send it to the eduGAIN OT.
- Shutdown key storage computer.
Key storage
- Put the two pairs of USB stick and yubikey in its own tamper bag.
- Record the tamper bags serial numbers.
- Key storage computer goes in its tamper bag along with paper record of the commands.
Key deployment to Luna HSM
- Prepare key storage computer for use.
- Connect ethernet interface to secondary ethernet of HSM in the cluster.
- Configure HSM for providing NTLS service on secondary ethernet port.
- Decrypt RSA private key using yubikey in static mode, temporarily stored in /dev/shm.
- Using pkcs11 client on key storage computer, transfer private key to HSM.
Key backup displacement
- One tamper bag containing the USB pendrive and yubikey goes to a safe in the GEANT Amsterdam office.
- One tamper bag containing the USB pendrive and yubikey goes to a safe in the GARR Rome office.
Key generation command sequence
Yubikey code reader: