aboutsummaryrefslogtreecommitdiff
path: root/scripts/biz-certs/Dave-EE.req
blob: f989d254505ffb83d9baefe365eeac3be4ea1cd7 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
-----BEGIN CERTIFICATE REQUEST-----
MIICaDCCAVACAQAwIzEhMB8GA1UEAxMYVGVzdCBDZXJ0aWZpY2F0ZSBEYXZlIEVF
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApS12A5ClRCpdg4S6THGd
Dgp++gYVoU/6QlvS+lrFfgeUjBSIPw2NN4+kDFLVyLGI+Yef2lzPTOailSyidn04
PoUZjINNCb4s0Xio83zFSEqUcsTUD5X4CO1vaUJtkAac+Hlni+ZCeg0e8/ZNXPiO
XLvyUr6256af3yxJh/PHEDq/x+aK+zWTi78z6+Gq7B+9DvGF/Kh8UjK1cUUdoFrS
8djUYT3AC59Dq4Qreww0sEXqJm6u5bpVW5fY1t4eo6BwAXgdzxwpGZVnFOSQhSJM
APJVAsqkMewwj7o9MuWYp7h9xSfL+pAoAV7uDa/zMVRvj2iGp9bVTJTr7+THVGbo
LwIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAG6UNnBSYglSYCTsg/g7FVBh6ROG
QYIiVrAdiJgZf7elUEtpmzAZ8YDVbwYbN6SYrVId4jvPStHkScf6/LC76tFbRp37
7pGEf7Ijou0xCXmk4LIm3xeQT/AjvPiOtoWNr1H+OdYUYQeyXoqNcgxZ4j3yal10
etp1ZMR2lHgGd0ZvulYJJw7E4s7c3f9mB0+qTaAz6Wcu49e6THo27gPq+ZZ4YMGZ
TfWldXk4IBqDuLauaiwWeWYMfkRC9aEMq6lVlIAvmjeKHOfUttQz0ievG7yJ7/En
wRoGBSQM8/Pzc0MFiTSyFcpYyyNqIQ8uHivKH/dZtXTOjkd9/wPajglNeyU=
-----END CERTIFICATE REQUEST-----
ght .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */ .highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */ .highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */ .highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */ .highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */ .highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */ .highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */ .highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */ .highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */ .highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */ .highlight .vc { color: #336699 } /* Name.Variable.Class */ .highlight .vg { color: #dd7700 } /* Name.Variable.Global */ .highlight .vi { color: #3333bb } /* Name.Variable.Instance */ .highlight .vm { color: #336699 } /* Name.Variable.Magic */ .highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */
****** Running a hierarchical rsync configuration ******

Having every relying party on the Internet contact every publication service is
not terribly efficient. In many cases, it may make more sense to use a
hierarchical configuration in which a few "gatherer" relying parties contact
the publication servers directly, while a collection of other relying parties
get their raw data from the gatherers.

  Note
      The relying parties in this configuration still perform their own
      validation, they just let the gatherers do the work of collecting the
      unvalidated data for them.

A gatherer in a configuration like this would look just like a stand-alone
relying party as discussed above. The only real difference is that a gatherer
must also make its unauthenticated data collection available to other relying
parties. Assuming the standard configuration, this will be the directory /var/
rcynic/data/unauthenticated and its subdirectories.

There are two slightly different ways to do this with rsync:

  1. Via unauthenticated rsync, by configuring an rsyncd.conf "module", or
  2. Via rsync over a secure transport protocol such as ssh.

Since the downstream relying party performs its own validation in any case,
either of these will work, but using a secure transport such as ssh makes it
easier to track problems back to their source if a downstream relying party
concludes that it's been receiving bad data.

Script for a downstream relying party using ssh might look like this:

  #!/bin/sh -

  PATH=/usr/bin:/bin:/usr/local/bin
  umask 022
  eval `/usr/bin/ssh-agent -s` >/dev/null
  /usr/bin/ssh-add /root/rpki_ssh_id_rsa 2>&1 | /bin/fgrep -v 'Identity added:'
  hosts='larry.example.org moe.example.org curly.example.org'
  for host in $hosts
  do
    /usr/bin/rsync --archive --update --safe-links rpkisync@${host}:/var/
  rcynic/data/unauthenticated/ /var/rcynic/data/unauthenticated.${host}/
  done
  eval `/usr/bin/ssh-agent -s -k` >/dev/null
  for host in $hosts
  do
    /usr/sbin/chroot -u rcynic -g rcynic /var/rcynic /bin/rcynic -c /etc/
  rcynic.conf -u /data/unauthenticated.${host}
    /var/rcynic/bin/rcynic-html /var/rcynic/data/rcynic.xml /usr/local/www/
  data/rcynic.${host}
  done
  cd /var/rcynic/rpki-rtr
  /usr/bin/su -m rcynic -c '/usr/local/bin/rtr-origin --cronjob /var/rcynic/
  data/authenticated'

where /root/rpki_ssh_id_rsa is an SSH private key authorized to log in as user
"rpkisync" on the gatherer machines. If you want to lock this down a little
tighter, you could use ssh's command="..." mechanism as described in the sshd
documentation to restrict the rpkisync user so that it can only run this one
rsync command.

If you prefer to use insecure rsync, perhaps to avoid allowing the downstream
relying parties any sort of login access at all on the gatherer machines, the
configuration would look more like this:

  #!/bin/sh -

  PATH=/usr/bin:/bin:/usr/local/bin
  umask 022
  hosts='larry.example.org moe.example.org curly.example.org'
  for host in $hosts
  do
    /usr/bin/rsync --archive --update --safe-links rsync://${host}/
  unauthenticated/ /var/rcynic/data/unauthenticated.${host}/
  done
  for host in $hosts
  do
    /usr/sbin/chroot -u rcynic -g rcynic /var/rcynic /bin/rcynic -c /etc/
  rcynic.conf -u /data/unauthenticated.${host}
    /var/rcynic/bin/rcynic-html /var/rcynic/data/rcynic.xml /usr/local/www/
  data/rcynic.${host}
  done
  cd /var/rcynic/rpki-rtr
  /usr/bin/su -m rcynic -c '/usr/local/bin/rtr-origin --cronjob /var/rcynic/
  data/authenticated'

where "unauthenticated" here is an rsync module pointing at /var/rcynic/data/
unauthenticated on each of the gatherer machines. Configuration for such a
module would look like:

  [unauthenticated]
      read only           = yes
      transfer logging    = yes
      path                = /var/rcynic/data/unauthenticated
      comment             = Unauthenticated RPKI data