MOD: docs update
This commit is contained in:
JohnE
parent
ab056455ec
commit
da07fd1845
|
|
@ -0,0 +1,23 @@
|
|||
|
||||
|
||||
|
||||
[[ modify elphdt ]]
|
||||
|
||||
From what I am seeing it appears as though the directory “/certs” is mounted from the NAS. I will need to add the new certificates to the NAS and they will be accessed from the “/certs” directory.
|
||||
|
||||
I will generate a new certificate chain with the PKI Bootstrap applicaiton. I will copy the new “CA Intermediate package” to this location:
|
||||
/certs/cai/09-2018/
|
||||
It will contain the CA Intermediates and the server certificates.
|
||||
|
||||
|
||||
Looking at elphdt, there is a file .gitlab-ci.yml: this file contains the “CI/CD configuration”. In the file the there are two global variables that are significant:
|
||||
|
||||
GITLAB_CI_CERTIFICATE_DIRECTORY_CA_PREFIX: ‘/certs/acme.xyz/CA/ACME_06-2018_ca'
|
||||
GITLAB_CI_CERTIFICATE_DIRECTORY_SERVER: ‘/certs/acme.xyz/servers/192.168.2.1_2018-06-13.10_11_38'
|
||||
|
||||
I will modify these variables to point to the new locations (this can be done for each build type):
|
||||
GITLAB_CI_CERTIFICATE_DIRECTORY_CA_PREFIX: ‘/certs/acme.xyz/CA/ACME_06-2018_ca'
|
||||
GITLAB_CI_CERTIFICATE_DIRECTORY_SERVER: ‘/certs/acme.xyz/servers/192.168.2.1_2018-06-13.10_11_38'
|
||||
|
||||
This solution will work fine for now. And in the future we can worry about generating a new server certificate for each MOB Hub.
|
||||
|
||||
|
|
@ -3,30 +3,48 @@
|
|||
|
||||
[[ WORKING ]]
|
||||
|
||||
* discover process that pulls the cert file
|
||||
-modify to pull from CA-I server certs
|
||||
* gen PKI Lifecycle, gen CA-I package, copy CA-I package to cert share (on NAS)
|
||||
* push latest source code
|
||||
* PKI Bootstrap slide deck
|
||||
-request a meeting to go over the PKI and show the slide deck
|
||||
|
||||
* testing multiple CA-I compatibility
|
||||
-"103.cai.skunkworks.acme.xyz" -worked
|
||||
-"104.cai.skunkworks.acme.xyz" -test this
|
||||
* test "104.cai.skunkworks.acme.xyz"
|
||||
-load client certificate onto different tablet
|
||||
|
||||
* research gitlab CI
|
||||
-install gitlab in docker
|
||||
-configure CI
|
||||
-try to have it run pki bootstrap??
|
||||
|
||||
|
||||
|
||||
[[ BACKLOG ]]
|
||||
|
||||
[ current ]
|
||||
* zip distribution folder (ca_i_4321.skunkworks.acme.xyz.zip)
|
||||
* add CA password
|
||||
* create certificate installation guide
|
||||
* create a ("CA-I package") zip file for distribution (folder: ca_i_4321.skunkworks.acme.xyz.zip)
|
||||
* add CA password??
|
||||
* create Andriod certificate installation guide
|
||||
-copy file to sd, select .p12 file, password="password"
|
||||
|
||||
|
||||
[ misc ]
|
||||
* can I install certificates from an android application??
|
||||
-can I used knox to install certificates??
|
||||
* create GUI for cert gen process (electron+crypto-interface)
|
||||
* add tool for .p12 file extractor for MH provisioning
|
||||
* add havegd (make sure there is adequite entropy)
|
||||
|
||||
|
||||
[ ver 3.5 : xdev bootstrap chain-of-trust ]
|
||||
* select bootstrap generation cpu (beaglebone, raspi)
|
||||
* change strings from "acme.xyz" to ".mil"
|
||||
* generate bootstrap
|
||||
* select bootstrap generation computer (beaglebone, raspi)
|
||||
-create PKI Lifecycle package for "navy.mil"
|
||||
-sneakernet two CA-I
|
||||
* create a "navy-prod" branch
|
||||
-change strings from "acme.xyz" to ".mil"
|
||||
-make any other sensitive specific changes
|
||||
* create a "navy-dev" branch
|
||||
* create a "navy-int" branch (integration branch, similar to a beta branch)
|
||||
* integrate into the build
|
||||
-modify CI global variables (for each build)
|
||||
-certs are generated BEFORE pulled into image (not part of build process)
|
||||
|
|
|
|||
Loading…
Reference in New Issue