| Ceremony Type | |
| ISD |
ISD required
|
| Base Number | |
| Serial Number |
| Select | Action |
|---|---|
| New sensitive voting certificate | |
| New regular voting certificate | |
| New root certificate | |
| Cast a vote |
| Working Directory | |
| Signing Tool | |
| Short ID |
Short Identifier required
|
| Exchange Mechanism | |
| Shared Drive | |
| Skip Preparation | |
| Skip Certificate Exchange | |
| Show Expected Output Hints |
| ISD-AS |
ISD-AS required
|
| Country | |
| State | |
| Locality | |
| Organization | |
| Organizational Unit |
| Common Name | |
| Key Management System | |
| Private Key (URI) | |
| Private Key (Label for CMS) | |
| Certificate Path | |
| Not Before | |
| Not After |
| Key Management System | |
| Private Key (Label for CMS) | |
| Certificate |
cat << EOF > /subject.tmpl
EOFscion-pki certificate create \
--profile \
--not-before \
--not-after \
--common-name "" \
/subject.tmpl \
\
cat << EOF > /basic.cnf
[openssl_init]
oid_section = oids
[req]
distinguished_name = req_distinguished_name
prompt = no
[oids]
ISD-AS = SCION ISD-AS number, 1.3.6.1.4.1.55324.1.2.1
sensitive-key = SCION sensitive voting key, 1.3.6.1.4.1.55324.1.3.1
regular-key = SCION regular voting key, 1.3.6.1.4.1.55324.1.3.2
root-key = SCION CP root key, 1.3.6.1.4.1.55324.1.3.3
[req_distinguished_name]
CN = \${common_name::name}
[ca]
default_ca = basic_ca
[basic_ca]
default_days = \${ca_defaults::default_days}
default_md = sha256
database = database/index.txt
new_certs_dir = certificates
unique_subject = no
rand_serial = yes
policy = policy_any
[policy_any]
countryName = supplied
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOFmkdir -p /database
touch /database/index.txt
mkdir -p /certificatescat << EOF > /.cnf
openssl_conf = openssl_init
x509_extensions = x509_ext
[common_name]
name =
[x509_ext]
subjectKeyIdentifier = hash
extendedKeyUsage = , 1.3.6.1.5.5.7.3.8
[ca_defaults]
default_days = 1825
.include basic.cnf
EOFopenssl genpkey -algorithm EC \
-pkeyopt ec_paramgen_curve:P-256 \
-pkeyopt ec_param_enc:named_curve \
-out
openssl req -new -utf8 \
-config /.cnf \
-key \
-keyform engine \
-engine pkcs11 \
-out /.csr
openssl ca -selfsign -preserveDN -notext -batch -utf8 \
-in /.csr \
-config /.cnf \
-keyfile \
-keyform engine \
-engine pkcs11 \
-startdate \
-enddate \
-out mkdir -p /
cp \
\
\
/tar --transform 's|.*/|/|' \
\
\
\
-cvf ..certs.tarcp -r /*/ /tar -xf .certs.tar -C for cert in /*/*.crt; do
sha256sum $cert
done521908d5ebefddd536a... FILE_NAMEcp /.pld.der tar -xf .pld.tar -C sha256sum fe37bb0d2462f3ffe86... scion-pki trc inspect version: 1
id:
isd:
base_number:
serial_number:
...scion-pki trc sign \
\
\
-o openssl cms -sign -in -inform der \
-signer \
-inkey \
-keyform engine \
-engine pkcs11 \
-nodetach -nocerts -nosmimecap -binary -outform der \
> engine "pkcs11" set.silentopenssl cms -verify -in -inform der \
-certfile \
-CAfile \
-purpose any -no_check_time \
> /dev/nullVerification successfulcp \
/tar --transform 's|.*/|/|' \
\
-cvf ..signatures.tarcp /.trc tar -xf .trc.tar -C sha256sum .trcb43cd88fddf9032f7b2... .trcscion-pki trc inspect --predecessor version: 1
id:
isd:
base_number:
serial_number:
...scion-pki trc format --format pem-----BEGIN TRC-----
MIIRpQYJKoZIhvcNAQcCoIIRljCCEZICAQExDTALBglghkgBZQMEAgEwggx0Bgkq
hkiG9w0BBwGgggxlBIIMYTCCDF0CAQAwCQIBAQIBAQIBATAiGA8yMDI0MDgyNjE1
MTUxNFoYDzIwMjUxMTE5MTUxNTE0WgIBAAEBADAAAgECMBgTCmZmMDA6MDoxMjAT
...