Versions Compared

Old Version 5

changes.mady.by.user Stefan Winter

Saved on

compared with

New Version 6

changes.mady.by.user Stefan Winter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

After following all these, some amount of fine-tuning in the config files is needed. Most items are self-explanatory; specific documentation to be added here for neuralgic spots.

eduroam Managed IdP Client Certificate Root CA

It is crucial to have a trust anchor for all issued client certificates which is stable on the long-term. To that end, an offline hardware-backed CA is provisioned and kept in a physically safe position in GEANT property. The CA itself is created with the CA generation script publicly available on GitHub.

IMPORTANT: adapt the settings/openssl.conf settings before issuing the CA. In particular:

  • crlDistributionPoints
  • caIssuers;URI.0
  • OCSP;URI.0

In the generation scripts themselves, change the following parameters:

  • CA.bootstrapnewRootCA: "randomsource" → /dev/hwrng as provided by the Raspberry Pi

need to point to the future URL of the CRL/OCSP Responder.

The script will generate TWO CAs, one with RSA/4096 bit keys, one with ECDSA/P-521 keys. The latter one is future-proofing.

Specific Instructions to make CAT instance a Managed IdP one

...