diff --git a/docs/source/hsm-crl-generator.rst b/docs/source/hsm-crl-generator.rst deleted file mode 100644 index 19cc5e8be9..0000000000 --- a/docs/source/hsm-crl-generator.rst +++ /dev/null @@ -1,18 +0,0 @@ -HSM Certificate Generation Tool -=============================== - -The purpose of the HSM Certificate Revocation List (CRL) Generation Tool is to provide means for the ROOT signed CRL creation. -Currently, only the NODE-level CRL creation is automated. Other levels (i.e. INTERMEDIATE and TLS) need to be addressed as well. -Since we do not presume to update the INTERMEDIATE-level CRL often, the automation in this case is not required. -With respect to the TLS certificates, we (from the perspective of R3) are not the maintainers of those CRLs. -It is a customer responsibility to maintain those lists. However, in order to ensure correct CRL checking procedure in case of the -SSL communication we need to provide the endpoint serving an empty CRL in case the customer is not able to provide for a CRL infrastructure. -Thus necessity for an empty CRL creation. - -The HSM CRL Generation Tool allows for both empty and non-empty CRL creation. It can be configured to generate direct and indirect CRLs. -A direct CRL is a CRL issued by the certificate issuer, which applies to the INTERMEDIATE certificates. -However, sometimes there is a need for creating an indirect CRL - i.e. issued by another authority different than the certificate issuer. This is the case in the TLS certificates. -The tool is implemented in such a way that the ROOT CA is always the issuing authority. Depending on the configuration, the generated -CRL can be flagged as direct or indirect. - -The output of the tool is a file containing ASN.1 DER-encoded bytes of the generated CRL. \ No newline at end of file diff --git a/docs/source/running-hsm-crl-generator.rst b/docs/source/running-hsm-crl-generator.rst deleted file mode 100644 index e09f3a505b..0000000000 --- a/docs/source/running-hsm-crl-generator.rst +++ /dev/null @@ -1,76 +0,0 @@ -Running the HSM Certificate Generation tool -=========================================== - -The purpose of this tool is to facilitate the process of CRL generation using the ROOT certificate stored on the HSM infrastructure. -See :doc:`hsm-crl-generator` for more details. - - -See the Readme under ``network-management`` for detailed building instructions. - - -Configuration file ------------------- -At startup, the HSM CRL Generation Tool reads a configuration file, passed with ``--config-file`` on the command line. - -This is an example of what a tool configuration file might look like: - .. literalinclude:: ../../network-management/crl-generator.conf - -General configuration parameters --------------------------------- -Allowed parameters are: - -:hsmHost: IP address of the HSM device. - -:hsmPort: Port number of the HSM device. - -:userConfigs: List of user authentication configurations. See below section on User Authentication Configuration. - -:crl: CRL specific configuration. See below section on CRL Configuration. - -:trustStoreFile: Path to the trust store file containing the ROOT certificate. - -:trustStorePassword: Password for the trust store. - - -CRL Configuration ------------------ - -:keySpecifier: This is an HSM specific parameter that corresponds to ROOT key name spacing. See Utimaco documentation for more details. - -:keyGroup: This is an HSM specific parameter that corresponds to ROOT key name grouping. See Utimaco documentation for more details. - -:validDays: Validity period of this CRL expressed in days. - -:crlEndpoint: URL pointing to the endpoint where this CRL can be obtained from. It is embedded in the generated CRL. - -:indirectIssuer: A boolean flag noting whether this CRL was issued by the certificate issuer (false) or another issuer (true). - -:filePath: Path to the generated file. - -:revocations: A list of revoked certificate data that is to be included in the generated CRL. Default value is the empty list. - See below for more details on the revoked certificate data. - -Revoked Certificate Data ------------------------- - -:certificateSerialNumber: Serial number of the revoked certificate. - -:dateInMillis: Certificate revocation time. - -:reason: Reason for the certificate revocation. The allowed value is one of the following: - UNSPECIFIED, KEY_COMPROMISE, CA_COMPROMISE, AFFILIATION_CHANGED, SUPERSEDED, CESSATION_OF_OPERATION, PRIVILEGE_WITHDRAWN - -User Authentication Configuration ---------------------------------- -Allowed parameters are: - -:username: HSM username. This user needs to be allowed to generate keys/certificates and store them in HSM. - -:authMode: One of the 3 possible authentication modes: - PASSWORD - User's password as set-up in the HSM - CARD_READER - Smart card reader authentication - KEY_FILE - Key file based authentication. - -:authToken: Depending on the authMode it is either user's password or path to the authentication key file. In case of the CARD_READER authMode value, this can be omitted. - -:keyFilePassword: Only relevant, if authMode == KEY_FILE. It is the key file password. \ No newline at end of file