...
It is crucial to have a trust anchor for all issued client certificates which is stable on the long-term. To that end, an offline hardware-backed CA is provisioned and kept in a physically safe position in GEANT property. The CA itself is created with the CA generation script publicly available on GitHub.
The scripts require at least openssl 1.1.0.
IMPORTANT: adapt the settings/openssl-rsa.cnf and settings/openssl-ecdsa.conf cnf settings before issuing the CA. In particular:
...
need to point to the future URL of the CRL/OCSP Responder.
The script
CA.bootstrapNewRootCA
will generate TWO CAs, one with RSA/4096 bit keys, one with ECDSA/NIST P-521 keys. The latter one is future-proofing.
Afterwards, edit again settings/openssl-rsa.cnf and settings/openssl-ecdsa.cnf settings with new URLs for the intermediate (Issuing) CA.
Subsequently, issue the command
CA.generateNewIntermediateCA
Specific Instructions to make CAT instance a Managed IdP one
...