TRC Signing Ceremony - Script Builder
TRC Ceremony Builder
TRC
| Ceremony Type | |
| ISD |
ISD required
|
| Base Number | |
| Serial Number |
Actions
| Select | Action |
|---|---|
| New sensitive voting certificate | |
| New regular voting certificate | |
| New root certificate | |
| Cast a vote |
General Settings
| Working Directory | |
| Signing Tool | |
| Short ID |
Short Identifier required
|
| Exchange Mechanism | |
| Shared Drive | |
| Skip Preparation | |
| Skip Certificate Exchange | |
| Show Expected Output Hints |
Certificate Subject
| ISD-AS |
ISD-AS required
|
| Country | |
| State | |
| Locality | |
| Organization | |
| Organizational Unit |
| Common Name | |
| Key Management System | |
| Key Management System | |
| Private Key (URI) (UUID) (Name) (ID including version) (ID) | |
| Private Key (Label for CMS) | |
| Private Key (AWS Region) | |
| Private Key (Azure Vault Name) | |
| Private Key (URI) | |
| Certificate Path | |
| Not Before | |
| Not After |
| Key Management System | |
| Key Management System | |
| Private Key (Label for CMS) (UUID) (Name) (ID including version) (ID) | |
| Private Key (AWS Region) | |
| Private Key (Azure Vault Name) | |
| Private Key (URI) | |
| Certificate |
Some required fields are missing. Please fill out the form completely.
Check that you are in the correct working directory, if you are using
relative paths, or environment variables containing relative paths.
We recommend using absolute paths where possible.
Preparation
Execute the following steps to prepare for the TRC ceremony.
Make sure that you have access to all the required keys and
certificates during the ceremony. To learn more about the
process, refer to the preparation
steps.
1. Create Subject Template
cat << EOF > /subject.tmpl
EOF
cat << EOF > /subject.tmpl
EOF
scion-pki certificate create \
--profile \
--not-before \
--not-after \
--common-name "" \
--key "awskms:key-id=" \
--kms "awskms:region=" \
--key "azurekms:vault=;name=" \
--kms "azurekms" \
--key "" \
--kms "cloudkms:" \
--key "pkcs11:" \
--kms "pkcs11:" \
/subject.tmpl \
\
scion-pki certificate create \
--profile \
--not-before \
--not-after \
--common-name "" \
--key "awskms:key-id=" \
--kms "awskms:region=" \
--key "azurekms:vault=;name=" \
--kms "azurekms" \
--key "" \
--kms "cloudkms:" \
--key "pkcs11:" \
--kms "pkcs11:" \
/subject.tmpl \
\
1. Create Basic Openssl Configuration
cat << EOF > /basic.cnf
[openssl_init]
oid_section = oids
[req]
distinguished_name = req_distinguished_name
prompt = no
[oids]
ISD-AS = SCION ISD-AS number, 1.3.6.1.4.1.55324.1.2.1
sensitive-key = SCION sensitive voting key, 1.3.6.1.4.1.55324.1.3.1
regular-key = SCION regular voting key, 1.3.6.1.4.1.55324.1.3.2
root-key = SCION CP root key, 1.3.6.1.4.1.55324.1.3.3
[req_distinguished_name]
CN = \${common_name::name}
[ca]
default_ca = basic_ca
[basic_ca]
default_days = \${ca_defaults::default_days}
default_md = sha256
database = database/index.txt
new_certs_dir = certificates
unique_subject = no
rand_serial = yes
policy = policy_any
[policy_any]
countryName = supplied
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOF
2. Create x509 Database
mkdir -p /database
touch /database/index.txt
mkdir -p /certificates
cat << EOF > /.cnf
openssl_conf = openssl_init
x509_extensions = x509_ext
[common_name]
name =
[x509_ext]
subjectKeyIdentifier = hash
extendedKeyUsage = , 1.3.6.1.5.5.7.3.8
[ca_defaults]
default_days = 1825
.include basic.cnf
EOF
The private key is proviced via PKCS#11. The following
command requires that the key has already been created.
Follow the documentation of your KMS to create the key.
openssl genpkey -algorithm EC \
-pkeyopt ec_paramgen_curve:P-256 \
-pkeyopt ec_param_enc:named_curve \
-out
openssl req -new -utf8 \
-config /.cnf \
-key \
-keyform engine \
-engine pkcs11 \
-out /.csr
openssl ca -selfsign -preserveDN -notext -batch -utf8 \
-in /.csr \
-config /.cnf \
-keyfile \
-keyform engine \
-engine pkcs11 \
-startdate \
-enddate \
-out
cat << EOF > /basic.cnf
[openssl_init]
oid_section = oids
[req]
distinguished_name = req_distinguished_name
prompt = no
[oids]
ISD-AS = SCION ISD-AS number, 1.3.6.1.4.1.55324.1.2.1
sensitive-key = SCION sensitive voting key, 1.3.6.1.4.1.55324.1.3.1
regular-key = SCION regular voting key, 1.3.6.1.4.1.55324.1.3.2
root-key = SCION CP root key, 1.3.6.1.4.1.55324.1.3.3
[req_distinguished_name]
CN = \${common_name::name}
[ca]
default_ca = basic_ca
[basic_ca]
default_days = \${ca_defaults::default_days}
default_md = sha256
database = database/index.txt
new_certs_dir = certificates
unique_subject = no
rand_serial = yes
policy = policy_any
[policy_any]
countryName = supplied
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOF2. Create x509 Database
mkdir -p /database
touch /database/index.txt
mkdir -p /certificates
cat << EOF > /.cnf
openssl_conf = openssl_init
x509_extensions = x509_ext
[common_name]
name =
[x509_ext]
subjectKeyIdentifier = hash
extendedKeyUsage = , 1.3.6.1.5.5.7.3.8
[ca_defaults]
default_days = 1825
.include basic.cnf
EOF
The private key is proviced via PKCS#11. The following
command requires that the key has already been created.
Follow the documentation of your KMS to create the key.
openssl genpkey -algorithm EC \
-pkeyopt ec_paramgen_curve:P-256 \
-pkeyopt ec_param_enc:named_curve \
-out
openssl req -new -utf8 \
-config /.cnf \
-key \
-keyform engine \
-engine pkcs11 \
-out /.csr
openssl ca -selfsign -preserveDN -notext -batch -utf8 \
-in /.csr \
-config /.cnf \
-keyfile \
-keyform engine \
-engine pkcs11 \
-startdate \
-enddate \
-out
mkdir -p /database
touch /database/index.txt
mkdir -p /certificates
cat << EOF > /.cnf
openssl_conf = openssl_init
x509_extensions = x509_ext
[common_name]
name =
[x509_ext]
subjectKeyIdentifier = hash
extendedKeyUsage = , 1.3.6.1.5.5.7.3.8
[ca_defaults]
default_days = 1825
.include basic.cnf
EOF
The private key is proviced via PKCS#11. The following
command requires that the key has already been created.
Follow the documentation of your KMS to create the key.
openssl genpkey -algorithm EC \
-pkeyopt ec_paramgen_curve:P-256 \
-pkeyopt ec_param_enc:named_curve \
-out
openssl req -new -utf8 \
-config /.cnf \
-key \
-keyform engine \
-engine pkcs11 \
-out /.csr
openssl ca -selfsign -preserveDN -notext -batch -utf8 \
-in /.csr \
-config /.cnf \
-keyfile \
-keyform engine \
-engine pkcs11 \
-startdate \
-enddate \
-out
cat << EOF > /.cnf
openssl_conf = openssl_init
x509_extensions = x509_ext
[common_name]
name =
[x509_ext]
subjectKeyIdentifier = hash
extendedKeyUsage = , 1.3.6.1.5.5.7.3.8
[ca_defaults]
default_days = 1825
.include basic.cnf
EOF
The private key is proviced via PKCS#11. The following
command requires that the key has already been created.
Follow the documentation of your KMS to create the key.
openssl genpkey -algorithm EC \
-pkeyopt ec_paramgen_curve:P-256 \
-pkeyopt ec_param_enc:named_curve \
-out
openssl req -new -utf8 \
-config /.cnf \
-key \
-keyform engine \
-engine pkcs11 \
-out /.csr
openssl ca -selfsign -preserveDN -notext -batch -utf8 \
-in /.csr \
-config /.cnf \
-keyfile \
-keyform engine \
-engine pkcs11 \
-startdate \
-enddate \
-out Phase 1: Exchange of Certificates
Follow the instructions of the TRC ceremony adminstrator to
exchange all of the required certificates.
1. Copy own certificates to drive
mkdir -p /
cp \
\
\
/1. Share certificate bundle
Share the tar file with the TRC ceremony administrator using the agreed upon
manual channel.
tar --transform 's|.*/|/|' \
\
\
\
-cvf ..certs.tarcp -r /*/ /tar -xf .certs.tar -C for cert in /*/*.crt; do
sha256sum $cert
doneExpected Output:
521908d5ebefddd536a... FILE_NAMEPhase 2: Creation of Payload
Follow the instructions of the TRC ceremony adminstrator to
receive the TRC payload.
1. Copy TRC Payload
cp /.pld.der 1. Unpack TRC Payload
tar -xf .pld.tar -C 2. Check TRC Payload
sha256sum Expected Output:
fe37bb0d2462f3ffe86... 3. Inspect TRC Payload
scion-pki trc inspect Expected Output:
version: 1
id:
isd:
base_number:
serial_number:
...Phase 3: Signing of the TRC Payload
Follow the instructions of the TRC ceremony adminstrator and
create the required signatures.
scion-pki trc sign \
\
"awskms:key-id=" \
--kms "awskms:region=" \
"azurekms:vault=;name=" \
--kms "azurekms" \
"" \
--kms "cloudkms:" \
"pkcs11:" \
--kms "pkcs11:" \
\
-o openssl cms -sign -in -inform der \
-signer \
-inkey \
-keyform engine \
-engine pkcs11 \
-nodetach -nocerts -nosmimecap -binary -outform der \
> Expected Output:
engine "pkcs11" set.silentopenssl cms -verify -in -inform der \
-certfile \
-CAfile \
-purpose any -no_check_time \
> /dev/nullExpected Output:
Verification successfulcp \
/tar --transform 's|.*/|/|' \
\
-cvf ..signatures.tarPhase 4: Assembly of the TRC
Follow the instructions of the TRC ceremony adminstrator to
recieve the signed TRC. This step concludes the ceremony.
1. Copy TRC from drive
cp /.trc 1. Unpack TRC
tar -xf .trc.tar -C 2. Check TRC
sha256sum .trcExpected Output:
b43cd88fddf9032f7b2... .trc3. Inspect TRC
scion-pki trc inspect --predecessor Expected Output:
version: 1
id:
isd:
base_number:
serial_number:
...4. Format TRC
The output of the TRC ceremony is a DER encoded TRC. To convert
it to a more ergonomic PEM format, use the following command.
scion-pki trc format --format pemExpected Output:
-----BEGIN TRC-----
MIIRpQYJKoZIhvcNAQcCoIIRljCCEZICAQExDTALBglghkgBZQMEAgEwggx0Bgkq
hkiG9w0BBwGgggxlBIIMYTCCDF0CAQAwCQIBAQIBAQIBATAiGA8yMDI0MDgyNjE1
MTUxNFoYDzIwMjUxMTE5MTUxNTE0WgIBAAEBADAAAgECMBgTCmZmMDA6MDoxMjAT
...