You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

This page and its child pages contains description of individual processes dealing with service operations should be noted as well, such as:

  • Service Order
  • Problem resolution
  • Configuration change
  • System update
  • Backup
  • Disaster recovery

RESPONSIBLE: Information provided here is initially populated by the development team (during the transition phase), and revised based on the need or in a yearly service check by service_name Service Manager.

Client Root CA Signing Ceremony Playbook

Setting

The ceremony is held on the Xth day of month Y in the year Z A.D. The physical location is: GEANT Association Offices, Amsterdam.

Required personnel physically present:

S. Winter, RESTENA: execute key generation scripts on machine (passphrase person #1)

D. Visser, GEANT Association: ensure physical lockup of CA device incl. private key; supervise operation to ensure that

   a) no copies of the private key are made

   b) passphrase is only visible to authorised people

Required additional personnel, present via VC:

M. Milinovic, SRCE (passphrase person #2)

Procedure

  1. S. Winter arrives at GEANT Offices with a Raspberry Pi 3. The Pi has the most recent version of Raspian OS preinstalled, with OpenSSL and the hwrng kernel driver, but no custom software.
  2. The VC begins.
  3. All participants to the ceremony agree on a value "n" for the length of the passphrases. Values smaller than 10 are unacceptable.
  4. The CA generation scripts which are available online at GitHub get downloaded to a USB stick on a computer in GEANT offices.
  5. The Pri gets powered up and connected to a monitor and keyboard available at GEANT offices.
  6. The USB stick gets attached to the Pi, and mounted.
  7. The scripts get copied to local USB storage.
  8. S. Winter executes the script "CA.bootstrapNewRootCA", answering the interactive questions by the script.
  9. When the script asks for the certificate private key's passphrase, S. Winter makes up a n character password and writes it down on a piece of paper, large enough so that it can be seen when held into the camera of the VC later.
  10. When the CA is generated, S. Winter executes the second script, "CA.generateNewIntermediateCA".
  11. When the script asks for the certificate private key's passphrase, S. Winter makes up a different n character password and writes it down on a second piece of paper.
  12. S. Winter executes the scripts which generate the CRL and OCSP statements, for both the RSA and ECDSA variants.
  13. S. Winter holds up the passphrase to the root CAs into the camera.
  14. M. Milinovic makes a copy of the root CA passphrase and stores it safely for everafter.
  15. S. Winter makes a copy of the root CA passphrase and stores it onto an existing VeraCrypt volume on his own laptop.
  16. S. Winter makes a copy of the intermediate CA passphrase and stores it onto an existing VeraCrypt volume on his own laptop.
  17. S. Winter copies all the public information regarding the CAs onto the USB stick:
    -root CA ECDSA+RSA certificate;
    -intermediate CA ECDSA+RSA certificate;
    -root CA CRL ECDSA+RSA;
    - root CA OCSP statement for the intermediate CA certificates ECDSA+RSA.
  18. S. Winter copies the following SECRET information to the same USB stick:
    -intermediate CA private key, RSA variant only.
  19. The USB stick gets unmounted.
  20. The Pi is shut down.
  21. The Pi is placed in its physical lockup (safe). The access to that safe is managed internally in GEANT according to local procedures.
  22. S. Winter copies the information on the USB stick to the relevant locations on the VMs.
  23. The ceremony ends.

Client and Server Root CA Procedures

TBD: where exactly is it stored, access controls to physical location

There will be a key generation ceremony. Q to the SM: is it acceptable to take the preparatory steps before traveling to the signing ceremony? Or do everything live?

TBD: who has the password for the encrypted private key, how is it stored, how is long-term accessibility ensured.


  • No labels