This page and its child pages contains description of individual processes dealing with service operations should be noted as well, such as:
RESPONSIBLE: Information provided here is initially populated by the development team (during the transition phase), and revised based on the need or in a yearly service check by service_name Service Manager. |
Client Root CA Signing Ceremony Playbook
Setting
The ceremony is held on the Xth day of month Y in the year Z A.D. The physical location is: GEANT Association Offices, Amsterdam.
Required personnel physically present:
S. Winter, RESTENA: execute key generation scripts on machine (passphrase person #1)
D. Visser, GEANT Association: ensure physical lockup of CA device incl. private key; supervise operation to ensure that
a) no copies of the private key are made
b) passphrase is only visible to authorised people
Required additional personnel, present via VC:
M. Milinovic, SRCE (passphrase person #2)
Procedure
- S. Winter arrives at GEANT Offices with a Raspberry Pi 3. The Pi has the most recent version of Raspian OS preinstalled, with OpenSSL and the hwrng kernel driver, but no custom software.
- The VC begins.
- All participants to the ceremony agree on a value "n" for the length of the passphrases. Values smaller than 10 are unacceptable.
- The CA generation scripts which are available online at GitHub get downloaded to a USB stick on a computer in GEANT offices.
- The Pri gets powered up and connected to a monitor and keyboard available at GEANT offices.
- The USB stick gets attached to the Pi, and mounted.
- The scripts get copied to local USB storage.
- S. Winter executes the script "CA.bootstrapNewRootCA", answering the interactive questions by the script.
- When the script asks for the certificate private key's passphrase, S. Winter makes up a n character password and writes it down on a piece of paper, large enough so that it can be seen when held into the camera of the VC later.
- When the CA is generated, S. Winter executes the second script, "CA.generateNewIntermediateCA".
- When the script asks for the certificate private key's passphrase, S. Winter makes up a different n character password and writes it down on a second piece of paper.
- S. Winter executes the scripts which generate the CRL and OCSP statements, for both the RSA and ECDSA variants.
- S. Winter holds up the passphrase to the root CAs into the camera.
- M. Milinovic makes a copy of the root CA passphrase and stores it safely for everafter.
- S. Winter makes a copy of the root CA passphrase and stores it onto an existing VeraCrypt volume on his own laptop.
- S. Winter makes a copy of the intermediate CA passphrase and stores it onto an existing VeraCrypt volume on his own laptop.
- S. Winter copies all the public information regarding the CAs onto the USB stick:
-root CA ECDSA+RSA certificate;
-intermediate CA ECDSA+RSA certificate;
-root CA CRL ECDSA+RSA;
- root CA OCSP statement for the intermediate CA certificates ECDSA+RSA. - S. Winter copies the following SECRET information to the same USB stick:
-intermediate CA private key, RSA variant only. - The USB stick gets unmounted.
- The Pi is shut down.
- The Pi is placed in its physical lockup (safe). The access to that safe is managed internally in GEANT according to local procedures.
- S. Winter copies the information on the USB stick to the relevant locations on the VMs.
- The ceremony ends.
Client and Server Root CA Procedures
TBD: where exactly is it stored, access controls to physical location
There will be a key generation ceremony. Q to the SM: is it acceptable to take the preparatory steps before traveling to the signing ceremony? Or do everything live?
TBD: who has the password for the encrypted private key, how is it stored, how is long-term accessibility ensured.