Versions Compared

Old Version 10

changes.mady.by.user Stefan Winter

Saved on

compared with

New Version 11

changes.mady.by.user Stefan Winter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

After following all these, some amount of fine-tuning in the config files is needed. Most items are self-explanatory; specific documentation to be added here for neuralgic spots.

The development team will provide the initial and production-ready product configuration.

eduroam Managed IdP Client Certificate Root CA

...

The scripts require at least openssl 1.1.0.

Info

IMPORTANT: adapt the settings/openssl-rsa.cnf  and settings/openssl-ecdsa.cnf settings before issuing the CA. In particular:

  • crlDistributionPoints
  • caIssuers;URI.0
  • OCSP;URI.0



Info

In the generation scripts themselves, change the following parameters:

  • CA.bootstrapnewRootCA: "randomsource" → /dev/hwrng as provided by the Raspberry Pi

need to point to the future URL of the CRL/OCSP Responder.


The script

CA.bootstrapNewRootCA

will generate TWO CAs, one with RSA/4096 bit keys, one with ECDSA/NIST P-521 keys. The latter one is future-proofing.

Info

You are prompted for the CA password interactively on the keyboard. TBD: who has the password, how is it stored, how is long-term accessibility ensured.


Afterwards, edit again settings/openssl-rsa.cnf  and settings/openssl-ecdsa.cnf settings with new URLs for the intermediate (Issuing) CA.

...

TechnologyCertificateContains Private Key?CRLOCSPNeeded where?
RSAROOT-RSA/cacert.pem
ROOT-RSA/crl.der // ROOT-RSA/crl.pemROOT-RSA/OCSP/<serial>.response.derRADIUS servers: trust root for chain validation

ROOT-RSA/certs/N.N./cert-rsa.pemX

RADIUS servers: trust chain building (certificate only)

web interface: certificate and OCSP issuance (certificate + private key)

ECDSAROOT-ECDSA/cacert.pem
ROOT-ECDSA/crl.der // ROOT-ECDSA/crl.pemROOT-RSA/OCSP/<serial>.response.derRADIUS servers: trust root for chain validation

ROOT-ECDSA/certs/N.N./cert-ecdsa.pemX

RADIUS servers: trust chain building (certificate only)

web interface: certificate and OCSP issuance (certificate + private key)

All of these files, but no others, are copied out of the CA environment for further use in operations (e.g. onto a USB stick).

...

eduroam Managed IdP includes multiple components which need to interwork correctly for the service as a whole to work. The following external dependencies between the components exist

eduroam Managed IdP web frontend → OCSP responder

  • issues OCSP statements for each of the certificates known to the system, using a cron job. See documentation on GitHub above. Make sure the cron job is running and verify that updated statements end up in the correct directory on the OCSP responder.

eduroam Managed IdP RADIUS Server → OCSP responder

  • makes request at OCSP responder during every user authentication. Make sure the HTTP communication between RADIUS server and OCSP Responder is possible.