Versions Compared

Old Version 6

changes.mady.by.user Stefan Winter

Saved on

compared with

New Version 7

changes.mady.by.user Stefan Winter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

It is crucial to have a trust anchor for all issued client certificates which is stable on the long-term. To that end, an offline hardware-backed CA is provisioned and kept in a physically safe position in GEANT property. The CA itself is created with the CA generation script publicly available on GitHub.

The scripts require at least openssl 1.1.0.

IMPORTANT: adapt the settings/openssl-rsa.cnf  and settings/openssl-ecdsa.conf cnf settings before issuing the CA. In particular:

...

need to point to the future URL of the CRL/OCSP Responder.

The script

CA.bootstrapNewRootCA

will generate TWO CAs, one with RSA/4096 bit keys, one with ECDSA/NIST P-521 keys. The latter one is future-proofing.

Afterwards, edit again settings/openssl-rsa.cnf  and settings/openssl-ecdsa.cnf settings with new URLs for the intermediate (Issuing) CA.

Subsequently, issue the command

CA.generateNewIntermediateCA


Specific Instructions to make CAT instance a Managed IdP one

...