j3g
/
pki-bootstrap_pub
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

MOD: docs update

This commit is contained in:
JohnE 2018-09-17 10:38:56 -07:00
parent ab056455ec
commit da07fd1845
2 changed files with 51 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
docs/elphdt Normal file
View File

@ -0,0 +1,23 @@
[[ modify elphdt ]]
From what I am seeing it appears as though the directory “/certs” is mounted from the NAS. I will need to add the new certificates to the NAS and they will be accessed from the “/certs” directory.
I will generate a new certificate chain with the PKI Bootstrap applicaiton. I will copy the new “CA Intermediate package” to this location:
/certs/cai/09-2018/
It will contain the CA Intermediates and the server certificates.
Looking at elphdt, there is a file .gitlab-ci.yml: this file contains the “CI/CD configuration”. In the file the there are two global variables that are significant:
GITLAB_CI_CERTIFICATE_DIRECTORY_CA_PREFIX: /certs/acme.xyz/CA/ACME_06-2018_ca'
GITLAB_CI_CERTIFICATE_DIRECTORY_SERVER: /certs/acme.xyz/servers/192.168.2.1_2018-06-13.10_11_38'
I will modify these variables to point to the new locations (this can be done for each build type):
GITLAB_CI_CERTIFICATE_DIRECTORY_CA_PREFIX: /certs/acme.xyz/CA/ACME_06-2018_ca'
GITLAB_CI_CERTIFICATE_DIRECTORY_SERVER: /certs/acme.xyz/servers/192.168.2.1_2018-06-13.10_11_38'
This solution will work fine for now. And in the future we can worry about generating a new server certificate for each MOB Hub.

38
docs/pki_agile
View File

@ -3,30 +3,48 @@
[[ WORKING ]] [[ WORKING ]]
* discover process that pulls the cert file * PKI Bootstrap slide deck
-modify to pull from CA-I server certs -request a meeting to go over the PKI and show the slide deck
* gen PKI Lifecycle, gen CA-I package, copy CA-I package to cert share (on NAS)
* push latest source code * testing multiple CA-I compatibility
-"103.cai.skunkworks.acme.xyz" -worked
-"104.cai.skunkworks.acme.xyz" -test this
* test "104.cai.skunkworks.acme.xyz"
-load client certificate onto different tablet
* research gitlab CI
-install gitlab in docker
-configure CI
-try to have it run pki bootstrap??
[[ BACKLOG ]] [[ BACKLOG ]]
[ current ] [ current ]
* zip distribution folder (ca_i_4321.skunkworks.acme.xyz.zip) * create a ("CA-I package") zip file for distribution (folder: ca_i_4321.skunkworks.acme.xyz.zip)
* add CA password * add CA password??
* create certificate installation guide * create Andriod certificate installation guide
-copy file to sd, select .p12 file, password="password" -copy file to sd, select .p12 file, password="password"
[ misc ]
* can I install certificates from an android application?? * can I install certificates from an android application??
-can I used knox to install certificates?? -can I used knox to install certificates??
* create GUI for cert gen process (electron+crypto-interface) * create GUI for cert gen process (electron+crypto-interface)
* add tool for .p12 file extractor for MH provisioning * add tool for .p12 file extractor for MH provisioning
* add havegd (make sure there is adequite entropy) * add havegd (make sure there is adequite entropy)
[ ver 3.5 : xdev bootstrap chain-of-trust ] [ ver 3.5 : xdev bootstrap chain-of-trust ]
* select bootstrap generation cpu (beaglebone, raspi) * select bootstrap generation computer (beaglebone, raspi)
* change strings from "acme.xyz" to ".mil" -create PKI Lifecycle package for "navy.mil"
* generate bootstrap
-sneakernet two CA-I -sneakernet two CA-I
* create a "navy-prod" branch
-change strings from "acme.xyz" to ".mil"
-make any other sensitive specific changes
* create a "navy-dev" branch
* create a "navy-int" branch (integration branch, similar to a beta branch)
* integrate into the build * integrate into the build
-modify CI global variables (for each build) -modify CI global variables (for each build)
-certs are generated BEFORE pulled into image (not part of build process) -certs are generated BEFORE pulled into image (not part of build process)