From da07fd1845b54464297cc88b28961c44671fa7d8 Mon Sep 17 00:00:00 2001 From: JohnE Date: Mon, 17 Sep 2018 10:38:56 -0700 Subject: [PATCH] MOD: docs update --- docs/elphdt | 23 +++++++++++++++++++++++ docs/pki_agile | 38 ++++++++++++++++++++++++++++---------- 2 files changed, 51 insertions(+), 10 deletions(-) create mode 100644 docs/elphdt diff --git a/docs/elphdt b/docs/elphdt new file mode 100644 index 0000000..fec9035 --- /dev/null +++ b/docs/elphdt @@ -0,0 +1,23 @@ + + + +[[ modify elphdt ]] + +From what I am seeing it appears as though the directory “/certs” is mounted from the NAS. I will need to add the new certificates to the NAS and they will be accessed from the “/certs” directory. + +I will generate a new certificate chain with the PKI Bootstrap applicaiton. I will copy the new “CA Intermediate package” to this location: +/certs/cai/09-2018/ +It will contain the CA Intermediates and the server certificates. + + +Looking at elphdt, there is a file .gitlab-ci.yml: this file contains the “CI/CD configuration”. In the file the there are two global variables that are significant: + +GITLAB_CI_CERTIFICATE_DIRECTORY_CA_PREFIX: ‘/certs/acme.xyz/CA/ACME_06-2018_ca' +GITLAB_CI_CERTIFICATE_DIRECTORY_SERVER: ‘/certs/acme.xyz/servers/192.168.2.1_2018-06-13.10_11_38' + +I will modify these variables to point to the new locations (this can be done for each build type): +GITLAB_CI_CERTIFICATE_DIRECTORY_CA_PREFIX: ‘/certs/acme.xyz/CA/ACME_06-2018_ca' +GITLAB_CI_CERTIFICATE_DIRECTORY_SERVER: ‘/certs/acme.xyz/servers/192.168.2.1_2018-06-13.10_11_38' + +This solution will work fine for now. And in the future we can worry about generating a new server certificate for each MOB Hub. + diff --git a/docs/pki_agile b/docs/pki_agile index b0a26df..1277511 100644 --- a/docs/pki_agile +++ b/docs/pki_agile @@ -3,30 +3,48 @@ [[ WORKING ]] -* discover process that pulls the cert file - -modify to pull from CA-I server certs -* gen PKI Lifecycle, gen CA-I package, copy CA-I package to cert share (on NAS) -* push latest source code +* PKI Bootstrap slide deck + -request a meeting to go over the PKI and show the slide deck + +* testing multiple CA-I compatibility + -"103.cai.skunkworks.acme.xyz" -worked + -"104.cai.skunkworks.acme.xyz" -test this + * test "104.cai.skunkworks.acme.xyz" + -load client certificate onto different tablet + +* research gitlab CI + -install gitlab in docker + -configure CI + -try to have it run pki bootstrap?? + [[ BACKLOG ]] [ current ] -* zip distribution folder (ca_i_4321.skunkworks.acme.xyz.zip) -* add CA password -* create certificate installation guide +* create a ("CA-I package") zip file for distribution (folder: ca_i_4321.skunkworks.acme.xyz.zip) +* add CA password?? +* create Andriod certificate installation guide -copy file to sd, select .p12 file, password="password" + + +[ misc ] * can I install certificates from an android application?? -can I used knox to install certificates?? * create GUI for cert gen process (electron+crypto-interface) * add tool for .p12 file extractor for MH provisioning * add havegd (make sure there is adequite entropy) + [ ver 3.5 : xdev bootstrap chain-of-trust ] -* select bootstrap generation cpu (beaglebone, raspi) -* change strings from "acme.xyz" to ".mil" -* generate bootstrap +* select bootstrap generation computer (beaglebone, raspi) + -create PKI Lifecycle package for "navy.mil" -sneakernet two CA-I +* create a "navy-prod" branch + -change strings from "acme.xyz" to ".mil" + -make any other sensitive specific changes + * create a "navy-dev" branch + * create a "navy-int" branch (integration branch, similar to a beta branch) * integrate into the build -modify CI global variables (for each build) -certs are generated BEFORE pulled into image (not part of build process)