SCION AS Onboarding
This page contains a high level tutorial on how to onboard an Anapaya appliance to a SCION AS. It can be used by implementation teams as a reference during the onboarding process.
Information collection
The first step is to collect the necessary information. This includes:
-
SCION ISD-AS number of the relevant appliances.
-
Certificate subject information, the required values depend on the specific ISD guidelines. At least the following fields are usually required:
- ISD-AS number
- Organization name
- Country
- Common name
Certificate signing request generation
The next step is to generate a certificate signing request (CSR) for each appliance. This step requires access to the appliance API and needs to be performed by the entity managing the appliance.
The CSR can only be generated on the appliance itself.
Issue initial certificate
The initial certificate is issued by a certificate authority (CA) and is based on the CSR generated in the previous step. The CA will verify the information in the CSR and, if everything is in order, issue a signed certificate.
The CSR needs to be provided to the CA out of band, e.g. via email.
In non-public ISDs, the CA needs to verify that the CSR information matches the legal entity of the SCION IAS owner. Therefore, it is important that the owner of the SCION AS directly interacts with the CA, even if the management of the appliances is delegated to another entity.
Install AS certificate
Once the initial AS certificate is issued, the CA sends it to the owner of the SCION AS. Afterwards the entity managing the appliance needs to install the certificate on the appliance.