1.4 Greenpass Trust Chain Setup

1.4.1 Installing the Source of Authority (SOA)

The source of Authority is a certificate that serves as the root of all the certification chains; it may be a child of another SOA; thus, a single certificate issued by an institutional SOA could be used here. The Greenpass admininistration needs access to the private keys of the SOA to generate the top-level delegators. Subsequent delegations do not need to access the SOA private key. Thus, the SOA cert and private key can be used to create a group of delegators with their own certificates and keys, then safely secured offline.

Get cert.p12 file for the certificate to be used as the Greenpass SOA.
make a PEM file from the P12 (can use same password for PEM file)
```
# openssl pkcs12 -in SOA.p12 -clcerts -out SOA.pem
```

convert from PEM to DER

# openssl x509 -inform PEM -outform -DER -in SOA.pem -out SOA.der

Store the SOA public key

# java edu.dartmouth.greenpass.bootstrap.ExtractKey -i SOA.der -o SOA.pub

Copy the SOA.pub file to the GPRadius machine, gpradsrc/jdaemons directory.

1.4.2 Initial Delegators (Bootstrapping)

Greenpass handles users delegating to users; thus a special method must be used to delegate to the first user. This special method is called Bootstrapping. The intial users delegated to directly by the SOA must be bootstrapped. For ease of use, the commands to bootstrap a given user are generally stored in a shell script. (The java commands listed below assume the needed jars are in the CLASSPATH. Execute the gpradsrc/setenv.sh script to set the CLASSPATH appropriately)
Bootstrapped users should be system administrators or other users trusted with permission priviliges, and the ability to grant permission priviliges to others.

1.4.2.1 Creating Certificates

If the user doesn't have a certificate, openssl can be used to generate one. For additional reference, please review the OpenSSL documentation and other online resources on the internet.

The simplest cookbook command is repeated below.
To create a certificate and a keypair, use the command

openssl req -new -x509 -keyout certkey.pem -out cert.pem

Answer the prompt questions, and an x509 certificate will be generated in the cert.pem file. Don't forget to protect the certkey.pem file, as that contains the private key.

1.4.2.2 Creating a Bootstrap Script

Example bootstrap scripts can be found in the gpradius install, in the gpradsrc/jdaemons/scripts directory.

clone an existing bootstrap.sh file
The bootstrap script uses two variables, hardcoded for each script.
A hex hash of the delegator, and the name of the file containing the SDSI/SPKI certificate.
```
# cp bootstrap.sh user_name_bootstrap.sh
```
Get a hex hash value from the SOA
```
# java edu.dartmouth.greenpass.bootstrap.ExtractKey -x md5 -i SOA.der
```
The Output is hex hash value needed below, copy and paste into bootstrap.sh

Generate a der file from the user's p12 certificate file.

# openssl pkcs12 -in user_cert.p12 -clcerts -out user_cert.pem
# openssl x509 -inform PEM -outform -DER -in user_cert.pem -out user_cert.der

make SDSI/SPKI certificate file for user
This step requires knowledge of the SOA.p12 password.
The bootstrap tool takes several arguments:
1. The p12 of the the SOA: SOA.p12
2. The DER file of the user: user_cert.der
3. number of days for the delegation to be valid: 365
4. name of the output file: SOAtoUser.spki
For example,
```
# java edu.dartmouth.greenpass.bootstrap.BootstrapTool SOA.p12 user_cert.der 365 SOAtoUser.spki
```
Additional information on SDSI/SPKI can be obtained

Edit the bootstrap script for the user, user_name_bootstrap.sh

HEX_HASH=(value of hex hash from SOA or delegator)
SPKI_FILE=(name of SPKI file above)

Make the bootstrap script executable
```
# chmod +x user_name_bootstrap.sh
```

The script is now ready to be add the user as a delegator when the server is running.

Return to Main
1 Building Greenpass 2 Running Greenpass

Last edited August 14, 2006
Greenpass Home