mirror of
https://github.com/corda/corda.git
synced 2025-03-17 17:45:17 +00:00
review comments
This commit is contained in:
parent
f56f07b34a
commit
3eb1ba9faa
@ -1,18 +0,0 @@
|
||||
HSM Certificate Generation Tool
|
||||
===============================
|
||||
|
||||
The purpose of the HSM Certificate Revocation List (CRL) Generation Tool is to provide means for the ROOT signed CRL creation.
|
||||
Currently, only the NODE-level CRL creation is automated. Other levels (i.e. INTERMEDIATE and TLS) need to be addressed as well.
|
||||
Since we do not presume to update the INTERMEDIATE-level CRL often, the automation in this case is not required.
|
||||
With respect to the TLS certificates, we (from the perspective of R3) are not the maintainers of those CRLs.
|
||||
It is a customer responsibility to maintain those lists. However, in order to ensure correct CRL checking procedure in case of the
|
||||
SSL communication we need to provide the endpoint serving an empty CRL in case the customer is not able to provide for a CRL infrastructure.
|
||||
Thus necessity for an empty CRL creation.
|
||||
|
||||
The HSM CRL Generation Tool allows for both empty and non-empty CRL creation. It can be configured to generate direct and indirect CRLs.
|
||||
A direct CRL is a CRL issued by the certificate issuer, which applies to the INTERMEDIATE certificates.
|
||||
However, sometimes there is a need for creating an indirect CRL - i.e. issued by another authority different than the certificate issuer. This is the case in the TLS certificates.
|
||||
The tool is implemented in such a way that the ROOT CA is always the issuing authority. Depending on the configuration, the generated
|
||||
CRL can be flagged as direct or indirect.
|
||||
|
||||
The output of the tool is a file containing ASN.1 DER-encoded bytes of the generated CRL.
|
@ -1,76 +0,0 @@
|
||||
Running the HSM Certificate Generation tool
|
||||
===========================================
|
||||
|
||||
The purpose of this tool is to facilitate the process of CRL generation using the ROOT certificate stored on the HSM infrastructure.
|
||||
See :doc:`hsm-crl-generator` for more details.
|
||||
|
||||
|
||||
See the Readme under ``network-management`` for detailed building instructions.
|
||||
|
||||
|
||||
Configuration file
|
||||
------------------
|
||||
At startup, the HSM CRL Generation Tool reads a configuration file, passed with ``--config-file`` on the command line.
|
||||
|
||||
This is an example of what a tool configuration file might look like:
|
||||
.. literalinclude:: ../../network-management/crl-generator.conf
|
||||
|
||||
General configuration parameters
|
||||
--------------------------------
|
||||
Allowed parameters are:
|
||||
|
||||
:hsmHost: IP address of the HSM device.
|
||||
|
||||
:hsmPort: Port number of the HSM device.
|
||||
|
||||
:userConfigs: List of user authentication configurations. See below section on User Authentication Configuration.
|
||||
|
||||
:crl: CRL specific configuration. See below section on CRL Configuration.
|
||||
|
||||
:trustStoreFile: Path to the trust store file containing the ROOT certificate.
|
||||
|
||||
:trustStorePassword: Password for the trust store.
|
||||
|
||||
|
||||
CRL Configuration
|
||||
-----------------
|
||||
|
||||
:keySpecifier: This is an HSM specific parameter that corresponds to ROOT key name spacing. See Utimaco documentation for more details.
|
||||
|
||||
:keyGroup: This is an HSM specific parameter that corresponds to ROOT key name grouping. See Utimaco documentation for more details.
|
||||
|
||||
:validDays: Validity period of this CRL expressed in days.
|
||||
|
||||
:crlEndpoint: URL pointing to the endpoint where this CRL can be obtained from. It is embedded in the generated CRL.
|
||||
|
||||
:indirectIssuer: A boolean flag noting whether this CRL was issued by the certificate issuer (false) or another issuer (true).
|
||||
|
||||
:filePath: Path to the generated file.
|
||||
|
||||
:revocations: A list of revoked certificate data that is to be included in the generated CRL. Default value is the empty list.
|
||||
See below for more details on the revoked certificate data.
|
||||
|
||||
Revoked Certificate Data
|
||||
------------------------
|
||||
|
||||
:certificateSerialNumber: Serial number of the revoked certificate.
|
||||
|
||||
:dateInMillis: Certificate revocation time.
|
||||
|
||||
:reason: Reason for the certificate revocation. The allowed value is one of the following:
|
||||
UNSPECIFIED, KEY_COMPROMISE, CA_COMPROMISE, AFFILIATION_CHANGED, SUPERSEDED, CESSATION_OF_OPERATION, PRIVILEGE_WITHDRAWN
|
||||
|
||||
User Authentication Configuration
|
||||
---------------------------------
|
||||
Allowed parameters are:
|
||||
|
||||
:username: HSM username. This user needs to be allowed to generate keys/certificates and store them in HSM.
|
||||
|
||||
:authMode: One of the 3 possible authentication modes:
|
||||
PASSWORD - User's password as set-up in the HSM
|
||||
CARD_READER - Smart card reader authentication
|
||||
KEY_FILE - Key file based authentication.
|
||||
|
||||
:authToken: Depending on the authMode it is either user's password or path to the authentication key file. In case of the CARD_READER authMode value, this can be omitted.
|
||||
|
||||
:keyFilePassword: Only relevant, if authMode == KEY_FILE. It is the key file password.
|
Loading…
x
Reference in New Issue
Block a user