There was a problem with language mixup which time-wise coincided, but was independent of the software update (root cause was Apache optimisation from “worker” to “event” request handling)
Progress on eduPKI CA certificates with automated API
Meeting with eduPKI/DFN-Cert personnel to figure out details
NRO can request certificates
for itself (NRO-level cert) or one of their IdPs
by uploading a CSR (all fields except public key and CN ignored)
issuance prerequisite: requested hostname MUST be listed as an server hostname in eduroam DB (schema v2.0.1)
issuance prerequisiste: entity must have a role-based, public email contact in the eduroam DB (schema v2)
the O attribute will either be "NRO of <country>" or the corporate name of the IdP in question
NRO operator still has to provide info on whether they want an NRO cert or IdP cert, and for which IdP/NRO (hostnames are not guaranteed to be unique, and one admin can be NRO operator for more than one eduroam country or territory)
renewal notices etc. will be sent to that role-based mail contact
Should this be exposed via admin API? Only relevant if you plan to deploy to IdPs at scale…
BTW, root CA expires in about 10 years. We will need to start thinking of a rollover plan in 5.
AOB / Next VC As per schedule, 10 dec 2019, 1530 CET