ExternalVendorCode/corda
1
0
Fork 0
mirror of https://github.com/corda/corda.git synced 2024-12-28 00:38:55 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
296e74aca7
corda/docs/source/hsm-cert-generator.rst
Michal Kit 789ce5d44a
Initial implementation of the certificate generation tool (#148) 
* Initial implementation of the certificate generation tool

* Adding trust store persisting

* Addressing review comments

* Adding certificate type to the certificate generation process.

* Addressing review comments

* Fixing typos

* Changing keyOverride to 0 in examples and tests

* Addressing review comments + rebasing

* Adding CRL information to the certificate generation process

* Generation tool refactoring

* Addressing review comments
2018-01-23 11:50:03 +00:00

1.9 KiB
Raw Blame History

HSM Certificate Generation Tool

The purpose of the HSM Certificate Generation Tool is to provide means for corda certificate hierarchy generation on an HSM infrastructure. The tool is intended to be executed automatically, therefore no human interaction is required. All necessary data is fed to the tool from the provided configuration file. In the configuration file, the tool expects 2 main parts to be configured:

  • HSM device location
  • HSM user(s) credentials, that will be used to gain access to the HSM device and to its functionality related to key/certificate generation. As such, it is assumed that the relevant privileged users are already set-up on the HSM prior to the script execution. The tool supports multi-user authentication, so it works with more strict policies, where there is a need for distributed privileges.
  • Certificate configuration. The tool is designed to generate a single certificate in one execution. The type of the generated certificate is driven by the certificateType parameter. Currently in Corda there is a 2-level certificate hierarchy composed of a root certificate and 2 intermediate certificates (one for CSR and one for network map/parameters signing). Most attributes for those certificates are taken from the configuration file provided to the tool during the execution time. Some of them (e.g. aliases), however, are fixed in the code due to compatibility aspects.

In addition to the certificate hierarchy creation on the HSM side, the tool stores the created root CA certificate in a trust store, which is intended for distribution across the nodes.

IMPORTANT NOTE:

Caution is required when the tool is used, especially in case where certificate attributes needs to be altered. Incorrect usage of the tool may result in existing certificates being overriden and possible network corruption.