Anapaya SCION CA architecture

The Anapaya SCION CA is a robust and flexible Certificate Authority (CA) designed for the SCION network. It is built on top of step-ca, an open-source, self-hosted CA implementation. The Anapaya SCION CA comprises a set of modular services that work together to deliver a comprehensive CA solution for SCION.

By default, the Anapaya SCION CA services are deployed as collocated systemd services. This architecture allows for straightforward replication across multiple nodes, enabling high availability and load balancing. While systemd-based deployment is standard, the services are flexible and can be adapted to other environments. The services themselves are largely stateless, with state management handled by a user-provided storage backend.

The Anapaya SCION CA unit includes three main components:

• step-ca: Third-party software responsible for certificate issuance.
• step-ca-adapter: An adapter layer that translates the SCION CA API into requests for step-ca. It validates and verifies renewal requests before forwarding them to step-ca.
• step-ca-rotator: A service that manages rotation of the CA certificate and private key used by step-ca.

To operate, the Anapaya SCION CA also requires:

• Key Management Service (KMS): Securely stores the CA private key, which is used by step-ca to sign certificates.
• Storage backend: Persists CA state for all three main components.

note

Currently, only PostgreSQL is supported as the storage backend, and Google Cloud KMS as the Key Management Service. The architecture is designed for extensibility and can support additional storage backends and KMS providers in the future. If you are interested in alternative options, please contact Anapaya support.