...
- S. Winter arrives at GEANT Offices with a Raspberry Pi 3. The Pi has the most recent version of Raspian OS preinstalled, with OpenSSL and the hwrng kernel driver, but no custom software.
- The VC begins.
- All participants to the ceremony agree on a value "n" for the length of the passphrases. Values smaller than 10 are unacceptable.
- S. Winter executes the server CA generation script on the host auth-1.hosted.eduroam.org. This process takes a long time and runs in parallel with the Client Root CA procedures.
- The CA generation scripts which are available online at GitHub get downloaded to a USB stick on a computer in GEANT offices.
- The Pi gets powered up and connected to a monitor and keyboard available at GEANT offices.
- The USB stick gets attached to the Pi, and mounted.
- The scripts get copied to local SD card storage.
- S. Winter executes the script "CA.bootstrapNewRootCA", answering the interactive questions by the script.
- When the script asks for the certificate private key's passphrase, S. Winter makes up a n character password and writes it down on a piece of paper, large enough so that it can be seen when held into the camera of the VC laterin an application on his laptop, for screen sharing.
- When the CAs are generated, S. Winter executes the second script, "CA.generateNewIntermediateCA".
- When the script asks for the certificate private key's passphrase, S. Winter makes up a different n character password and writes it down on an existing VeraCrypt volume on his laptop.
- S. Winter executes the scripts which generate the CRL and OCSP statements, for both the RSA and ECDSA variants.
- S. Winter holds up the passphrase to the root CAs into the camera.
- M. Milinovic makes a copy of the root CA passphrase and stores it safely for everafter.
- S. Winter makes a copy of the root CA passphrase and stores it onto an existing VeraCrypt volume on his own laptop.
- S. Winter destroys the piece of paper holding the passphrase.
- S. Winter copies all the public information regarding the CAs onto the USB stick:
-root CA ECDSA+RSA certificate;
-intermediate CA ECDSA+RSA certificate;
-root CA CRL ECDSA+RSA;
- root CA OCSP statement for the intermediate CA certificates ECDSA+RSA. - S. Winter copies the following SECRET information to the same USB stick:
-intermediate CA private keys, RSA and ECDSA variants.
-root CA private keys, RSA and ECDSA variants - The USB stick gets unmounted.
- The Pi is shut down.
- D. Visser extracts the root CA private keys into a word processor document and prints them.
- D. Visser places the Pi and the printouts in their physical lockup (safe). The access to that safe is managed internally in GEANT according to local procedures.
- S. Winter deletes the root CA private keys from the USB stick.
- S. Winter copies the remainder of the information on the USB stick to the relevant locations on the VMs.
- The group verifies that meanwhile the server CA generation script has finished.
- The VC ends.
- The ceremony ends.
...