NIKHEF CA Practice Manual
On receipt of a request, the program dca_accept will
classify the request, do the S/MIME validation if needed and
will subsequently put the request in either the "pending" or
the "failed" area.
The areas are located in /global/ices/grid/techn/certauth/ca-maillog.
Before you can do anything, please add
/global/ices/grid/techn/certauth/bin to your path:
This includes the perl scripts dca_*. The scripts are known
to work on Linux, but should be sufficiently generic.
The following commands are available:
If a request was not sent to firstname.lastname@example.org, ask to re-send this message
to email@example.com to ensure logging and entering in the pending queue.
Be sure to "bounce" or "redirect", and not to forward.
- This program is run from the mailing list and processes
the incoming requests
- dca_auth reqid
Get the basic information from the request and accept
authentication data. This command should be run while you're
on the phone with the requestor or after you visited.
If the authentication is OK, Put "Yes" behind the
"Approved: " line.
- dca_batch [-ca CA]
Copy all pending requests for this CA to the ZIP disk, and
print out the batch process form. The default CA is "medium".
List all pending and failed requests.
- dca_publish [-ca CA]
Get the publication data off the ZIP disk and put it on
the certificate web site. It will NOT yet do the
adding of new info to the LDAP directory.
- dca_update reqid
Add an audit entry for this request
- dca_view reqid
View the audit log for this request
List the pending requests using "dca_list".
For any un-approved requests, do the authentication and
update the audit record using "dca_auth".
Put the ZIP disk in your machine, and run "dca_batch"
For this, the transfer ZIP disk should have a requests directory.
A timestamp (tag) is generated and is it written to both the ZIP disk
and the general logging area. If a printer single exists,
a paper request form is printed.
The current logging area is
The request is now removed from the pending queue.
- Go to the cabinet and start the CA signing machine. If it boots,
you have to provide a BIOS password
Login as user `ca' and source the .bashrc file if neccessary.
Chdir to the directory "/data/certauth/medium-security".
Put the ZIP disk in the drive and process the requests
using the "dca_sign" script. You will have to provide the CA passphrase,
but, you only have to provide it once.
- The script will sign the requests, print the certs new serial and move
the request from the incoming to the processed directory.
Write the serial and the life time on the batch guide form.
- After signing all requests, publish the new CA state using the
"publish" script, as suggested by the siging command:
You will have to provide the CA passphrase.
- Unmount the disk again (may use the umzip script)
- Make a backup of the signing machine on
the special disk. Mount it first, then use the "mkbackup" script. This
will make a backup of all CA data and the machine log files.
For the protection-password on the (DES3) encrypted backup, use the
well-known password. Unmount the disk and store safely.
- Power the machine off if needed, take the transfer zip and put
it in a networked
machine. Copy the publishing dir from the zip disk to the web site
using the dca_publish script. You may need to privide the
password of the `gridadm' user.
- Run the dca_mailback script. Without any arguments,
this script will o all tags for which there is a ".lock" file in
the pending directory. Otherwise give the appropriate tags
as arguments. Based on the CA database (just copied) and the tag database
in the auditing area, a mail will be composed. Check it and
press Enter to mail it off to the intended recipient. If the cert
has to go to a different e-mail address, edit the mail To: line.
- File the filled paper form in the appropriate binder.
Generating a new CRL
Perform steps 7, 8, and 10.
The firstname.lastname@example.org mailing list
Mail to the email@example.com alias is sent to all users in
ca-users include file:
# Distribute mail to the members of the ca mailing list.
# ca: :include:/etc/mail/lists/ca
# ca-users: :include:/etc/mail/lists/ca-users
# ca-request: :include:/etc/mail/lists/ca-request
# owner-ca: davidg
In the /public/maillists/ca-users file, the mail is directed to both
the owner-ca alias and the auditing area
The list owner is currently davidg.
David Groep <firstname.lastname@example.org>