Skip to main content

Getting started

The Anapaya SCION CA (Certificate Authority) is a crucial component in the SCION architecture, responsible for issuing and managing SCION Control Plane Public Key Infrastructure (CP-PKI) certificates that authenticate entities within the SCION network. This document provides an overview of how to get started with the Anapaya SCION CA.

Features

Built on open source

The Anapaya SCION CA is built on top of step-ca, an open source, self-hosted certificate authority implementation.

Cryptographic protection

For strong protection of the CA's private key, the Anapaya SCION CA can leverage cloud-based Key Management services (KMS) or PKCS #11 HSM.

SCION spec compliance

The Anapaya SCION CA is designed to integrate seamlessly with the Anapaya appliance and any other spec compliant SCION control plane implementations, as it exposes the SCION CA API.

Flexible deployment

The Anapaya SCION CA can be replicated horizontally across multiple nodes, allow for high availability and load balancing. The CA deployment is decoupled from the Anapaya appliance, allowing for flexible scaling and management.

Why use the Anapaya SCION CA?

The SCION CP-PKI ensures secure, trustworthy, and verifiable routing and path information. The CP-PKI protects who can announce routing information, what paths are considered valid, and how trust is scoped and updated.

Trust for an Isolation Domain (ISD) is anchored in a Trust Root Configuration (TRC). Part of this TRC is a list of CP root certificates. Through this list, the power of issuing CP-PKI AS certificates is delegated to the certificate authorities of an ISD.

The SCION protocol does not prescribe strict requirements on the certificate authority, or how subscribers are managed. From the protocol's perspective, the only requirement is that the certificate authority's root certificate is listed in the TRC, and that there is some mechanism for the subscribers to gain access to a SCION AS certificate in order to produce valid signatures. The ISD governance is responsible to define further requirements, and potentially delegate some of the decisions to the certificate authority itself.

Certificate renewal

While the SCION control plane does not define how certificate authority Subscribers are managed, or how initial AS certificates are obtained, it proposes a standard approach to automatically renew AS certificates.

Certificate renewal requests are sent as a ChainRenewalRequest via SCION to the SCION control service. This request is signed with an existing AS certificate which is still active and valid.

Both sides of this automatic renewal process are implemented by the Anapaya appliance. The Anapaya appliance automatically renews the AS certificates in time before they expire. When configured, the Anapaya appliance also acts as the server side.

To allow for third-party implementations of the SCION CA, and flexible deployments, the Anapaya appliance simply acts as a proxy for the renewal request. The request received over SCION is forwarded to an internal CA service that exposes the well-defined SCION CA API. The Anapaya SCION CA is one implementation of this API, but any other implementation can be used as well.

Where to start?

To learn more about the Anapaya SCION CA and how its deployment architecture looks like, see the architecture document. To install an instance of the Anapaya SCION CA, consult the installation guide.