[DutchGrid website] NIKHEF CA Practice Manual

On receipt of a request, the program dca_accept will classify the request, do the S/MIME validation if needed and will subsequently put the request in either the "pending" or the "failed" area. The areas are located in /global/ices/grid/techn/certauth/ca-maillog.

Before you can do anything, please add /global/ices/grid/techn/certauth/bin to your path:

export PATH
This includes the perl scripts dca_*. The scripts are known to work on Linux, but should be sufficiently generic.

The following commands are available:

This program is run from the mailing list and processes the incoming requests
dca_auth reqid
Get the basic information from the request and accept authentication data. This command should be run while you're on the phone with the requestor or after you visited. If the authentication is OK, Put "Yes" behind the "Approved: " line.
dca_batch [-ca CA]
Copy all pending requests for this CA to the ZIP disk, and print out the batch process form. The default CA is "medium".
List all pending and failed requests.
dca_publish [-ca CA]
Get the publication data off the ZIP disk and put it on the certificate web site. It will NOT yet do the adding of new info to the LDAP directory.
dca_update reqid
Add an audit entry for this request
dca_view reqid
View the audit log for this request
If a request was not sent to ca@nikhef.nl, ask to re-send this message to ca@nikhef.nl to ensure logging and entering in the pending queue. Be sure to "bounce" or "redirect", and not to forward.

The Process

  1. List the pending requests using "dca_list". For any un-approved requests, do the authentication and update the audit record using "dca_auth".
  2. Put the ZIP disk in your machine, and run "dca_batch" For this, the transfer ZIP disk should have a requests directory. A timestamp (tag) is generated and is it written to both the ZIP disk and the general logging area. If a printer single exists, a paper request form is printed.
    The current logging area is /global/ices/grid/techn/certauth/ca-maillog/. The request is now removed from the pending queue.

  3. Go to the cabinet and start the CA signing machine. If it boots, you have to provide a BIOS password
  4. Login as user `ca' and source the .bashrc file if neccessary. Chdir to the directory "/data/certauth/medium-security".
  5. Put the ZIP disk in the drive and process the requests using the "dca_sign" script. You will have to provide the CA passphrase, but, you only have to provide it once.
  6. The script will sign the requests, print the certs new serial and move the request from the incoming to the processed directory. Write the serial and the life time on the batch guide form.
  7. After signing all requests, publish the new CA state using the "publish" script, as suggested by the siging command:
    You will have to provide the CA passphrase.
  8. Unmount the disk again (may use the umzip script)
  9. Make a backup of the signing machine on the special disk. Mount it first, then use the "mkbackup" script. This will make a backup of all CA data and the machine log files. For the protection-password on the (DES3) encrypted backup, use the well-known password. Unmount the disk and store safely.

  10. Power the machine off if needed, take the transfer zip and put it in a networked machine. Copy the publishing dir from the zip disk to the web site using the dca_publish script. You may need to privide the password of the `gridadm' user.
  11. Run the dca_mailback script. Without any arguments, this script will o all tags for which there is a ".lock" file in the pending directory. Otherwise give the appropriate tags as arguments. Based on the CA database (just copied) and the tag database in the auditing area, a mail will be composed. Check it and press Enter to mail it off to the intended recipient. If the cert has to go to a different e-mail address, edit the mail To: line.
  12. File the filled paper form in the appropriate binder.

Generating a new CRL

Perform steps 7, 8, and 10.

The ca@nikhef.nl mailing list

Mail to the ca@nikhef.nl alias is sent to all users in ca-users include file:
    # Distribute mail to the members of the ca mailing list.
    # ca:           :include:/etc/mail/lists/ca
    # ca-users:     :include:/etc/mail/lists/ca-users
    # ca-request:   :include:/etc/mail/lists/ca-request
    # owner-ca:     davidg
In the /public/maillists/ca-users file, the mail is directed to both the owner-ca alias and the auditing area /global/ices/grid/techn/certauth/ca-maillog/maillog. The list owner is currently davidg.
David Groep <davidg@nikhef.nl>