review comments

This commit is contained in:
Katelyn Baker 2018-06-01 11:50:30 +01:00
parent f56f07b34a
commit 3eb1ba9faa
2 changed files with 0 additions and 94 deletions

View File

@ -1,18 +0,0 @@
HSM Certificate Generation Tool
===============================
The purpose of the HSM Certificate Revocation List (CRL) Generation Tool is to provide means for the ROOT signed CRL creation.
Currently, only the NODE-level CRL creation is automated. Other levels (i.e. INTERMEDIATE and TLS) need to be addressed as well.
Since we do not presume to update the INTERMEDIATE-level CRL often, the automation in this case is not required.
With respect to the TLS certificates, we (from the perspective of R3) are not the maintainers of those CRLs.
It is a customer responsibility to maintain those lists. However, in order to ensure correct CRL checking procedure in case of the
SSL communication we need to provide the endpoint serving an empty CRL in case the customer is not able to provide for a CRL infrastructure.
Thus necessity for an empty CRL creation.
The HSM CRL Generation Tool allows for both empty and non-empty CRL creation. It can be configured to generate direct and indirect CRLs.
A direct CRL is a CRL issued by the certificate issuer, which applies to the INTERMEDIATE certificates.
However, sometimes there is a need for creating an indirect CRL - i.e. issued by another authority different than the certificate issuer. This is the case in the TLS certificates.
The tool is implemented in such a way that the ROOT CA is always the issuing authority. Depending on the configuration, the generated
CRL can be flagged as direct or indirect.
The output of the tool is a file containing ASN.1 DER-encoded bytes of the generated CRL.

View File

@ -1,76 +0,0 @@
Running the HSM Certificate Generation tool
===========================================
The purpose of this tool is to facilitate the process of CRL generation using the ROOT certificate stored on the HSM infrastructure.
See :doc:`hsm-crl-generator` for more details.
See the Readme under ``network-management`` for detailed building instructions.
Configuration file
------------------
At startup, the HSM CRL Generation Tool reads a configuration file, passed with ``--config-file`` on the command line.
This is an example of what a tool configuration file might look like:
.. literalinclude:: ../../network-management/crl-generator.conf
General configuration parameters
--------------------------------
Allowed parameters are:
:hsmHost: IP address of the HSM device.
:hsmPort: Port number of the HSM device.
:userConfigs: List of user authentication configurations. See below section on User Authentication Configuration.
:crl: CRL specific configuration. See below section on CRL Configuration.
:trustStoreFile: Path to the trust store file containing the ROOT certificate.
:trustStorePassword: Password for the trust store.
CRL Configuration
-----------------
:keySpecifier: This is an HSM specific parameter that corresponds to ROOT key name spacing. See Utimaco documentation for more details.
:keyGroup: This is an HSM specific parameter that corresponds to ROOT key name grouping. See Utimaco documentation for more details.
:validDays: Validity period of this CRL expressed in days.
:crlEndpoint: URL pointing to the endpoint where this CRL can be obtained from. It is embedded in the generated CRL.
:indirectIssuer: A boolean flag noting whether this CRL was issued by the certificate issuer (false) or another issuer (true).
:filePath: Path to the generated file.
:revocations: A list of revoked certificate data that is to be included in the generated CRL. Default value is the empty list.
See below for more details on the revoked certificate data.
Revoked Certificate Data
------------------------
:certificateSerialNumber: Serial number of the revoked certificate.
:dateInMillis: Certificate revocation time.
:reason: Reason for the certificate revocation. The allowed value is one of the following:
UNSPECIFIED, KEY_COMPROMISE, CA_COMPROMISE, AFFILIATION_CHANGED, SUPERSEDED, CESSATION_OF_OPERATION, PRIVILEGE_WITHDRAWN
User Authentication Configuration
---------------------------------
Allowed parameters are:
:username: HSM username. This user needs to be allowed to generate keys/certificates and store them in HSM.
:authMode: One of the 3 possible authentication modes:
PASSWORD - User's password as set-up in the HSM
CARD_READER - Smart card reader authentication
KEY_FILE - Key file based authentication.
:authToken: Depending on the authMode it is either user's password or path to the authentication key file. In case of the CARD_READER authMode value, this can be omitted.
:keyFilePassword: Only relevant, if authMode == KEY_FILE. It is the key file password.