Page History

...

Info

IMPORTANT: adapt the settings/openssl-rsa.cnf and settings/openssl-ecdsa.cnf settings before issuing the CA. In particular:

~~crlDistributionPoints~~
caIssuers;URI.0 = http://ocsp.hosted.eduroam.org/rsa/user-root/cacert.pem respectively http://ocsp.hosted.eduroam.org/ecdsa/user-root/cacert.pem
OCSP;URI.0 = http://ocsp.hosted.eduroam.org/rsa/user-root/ocsp respectively http://ocsp.hosted.eduroam.org/ecdsa/user-root/ocsp

For (for reference: the end user certificates created by the intermediate CA will have the following URLs for these fields:

caIssuers;URI.0 = http://ocsp.hosted.eduroam.org/rsa/user-intermediate-rsa-1/cacert.pem respectively http://ocsp.hosted.eduroam.org/ecdsa/user-intermediate-ecdsa-1/cacert.pem
OCSP;URI.0 = http://ocsp.hosted.eduroam.org/rsa/user-intermediate-rsa-1/ocsp respectively http://ocsp.hosted.eduroam.org/ecdsa/user-intermediate-ecdsa-1/ocsp

Info

In the generation scripts themselves, change the following parameters:

CA.bootstrapnewRootCA: "randomsource" → /dev/hwrng as provided by the Raspberry Pi

need to point to the future URL of the CRL/OCSP Responder.

...

Important: the CA certificates need to contain a valid URL for their CRL Distribution Point. The CRLDP is set by the addnro.py script as: CRLDP.0=http://ocsp.hosted.eduroam.org/rsa/server/<NRO>/crl/root.crl (where <NRO> is the ccTLD of the NRO in question, in capitalised letters - e.g. "PL")

...

Page tree

Versions Compared

Old Version 30

New Version 31

Key