Skip to main content

Installation

Follow this installation guide to set up the Anapaya SCION CA on a Debian/Ubuntu host. The deployment uses Google Cloud KMS for cryptographic protection of the CA and root CA private keys, and PostgreSQL as the database backend for storing the CA state.

Requirements

Before you can install the Anapaya SCION CA, ensure that the following requirements are met:

  • Host runs Debian/Ubuntu or a compatible Linux distribution.
  • You have sudo privileges to install packages and manage services.
  • You have internet access to download the necessary packages and dependencies.
  • You have a PostgreSQL database server running for storing the CA state. The following three dedicated databases are required:
    • Database for step-ca (recommended name: step_ca)
    • Database for step-ca-adapter (recommended name: step_ca_adapter)
    • Database for step-ca-rotator (recommended name: step_ca_rotator)
  • You have two key rings in the Google Cloud KMS:
    • Key ring for the SCION CP-PKI root CA private key (accessed by step-ca-rotator)
    • Key ring for the SCION CP-PKI CA private key (accessed by step-ca)
  • You have service accounts with credentials for the Google Cloud KMS key rings:
    • step-ca-rotator:
      • roles/cloudkms.cryptoOperator on the root key ring
      • roles/cloudkms.viewer on the root key ring
      • roles/cloudkms.admin on the intermediate key ring
    • step-ca:
      • roles/cloudkms.cryptoOperator on the intermediate key ring
      • roles/cloudkms.viewer on the intermediate key ring
tip

You could further restrict the access of the individual service accounts by introducing the following custom roles:

  • cloudkms.cryptoKeyRotator (instead of roles/cloudkms.admin for step-ca-rotator)

    • cloudkms.cryptoKey.create
    • cloudkms.cryptoKeyVersions.create
    • cloudkms.cryptoKeyVersions.get
    • cloudkms.cryptoKeyVersions.viewPublicKey

  • cloudkms.signerWithPubKey (instead of roles/cloudkms.cryptoOperator for step-ca)

    • cloudkms.cryptoKeyVersions.useToSign
    • cloudkms.cryptoKeyVersions.viewPublicKey

Preparation

Before you configure the Anapaya SCION CA, you need to prepare the host and install the necessary binaries. This section guides you through the process, irrespective of whether the host is set up in leader of follower mode.

Get the binaries

Access token

Enter your token to generate a copyable command. Alternatively, manually set the $ACCESS_TOKEN placeholder

Download the latest version of the step-ca-adapter:

curl -1sLf -O 'https://dl.cloudsmith.io/$ACCESS_TOKEN/anapaya/stable/raw/versions/latest/step-ca-adapter'
sudo chmod +x step-ca-adapter
sudo chown root:root step-ca-adapter
sudo mv step-ca-adapter /usr/bin/step-ca-adapter

Download the latest version of the step-ca-rotator:

curl -1sLf -O 'https://dl.cloudsmith.io/$ACCESS_TOKEN/anapaya/stable/raw/versions/latest/step-ca-rotator'
sudo chmod +x step-ca-rotator
sudo chown root:root step-ca-rotator
sudo mv step-ca-rotator /usr/bin/step-ca-rotator

Download the latest version of the step-ca:

sudo apt-get update && sudo apt-get install -y --no-install-recommends curl gpg ca-certificates
sudo curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg -o /etc/apt/trusted.gpg.d/smallstep.asc && \
  echo 'deb [signed-by=/etc/apt/trusted.gpg.d/smallstep.asc] https://packages.smallstep.com/stable/debian debs main' \
  | sudo tee /etc/apt/sources.list.d/smallstep.list
sudo apt-get update && sudo apt-get -y install step-cli step-ca

(See the step-ca documentation for more details)

Prepare the host

Set up a system user scion-ca and create the necessary directories:

sudo useradd --user-group --system --home /etc/scion-ca --shell /bin/false scion-ca
sudo mkdir -p /etc/scion-ca
sudo chown scion-ca:scion-ca /etc/scion-ca
sudo chmod 750 /etc/scion-ca

Choose the mode

The Anapaya SCION CA can be deployed redundantly across multiple instances. The Anapaya SCION CA shares its state across all instances using the database. There are two modes in which an Anapaya SCION CA instance can be deployed. In the leader mode, where the instance actively rotates the CA certificate, and in the followed mode, where the instance passively follows the leader and provisions the CA certificate and private keys.

In a single instance deployment, the Anapaya SCION CA is always deployed in leader mode. In a multi-instance deployment, the first instance should be deployed in leader mode, and all subsequent instances should be deployed in follower mode.

Leader before follower

When installing the Anapaya SCION CA in the leader mode, certain steps move parts of the configuration to the database, such that it can be shared with the followers. Therefore, it is crucial that the first instance is deployed in leader mode before any followers are deployed.

To install the Anapaya SCION CA in leader mode, follow the leader mode installation. To install the Anapaya SCION CA in follower mode, follow the follower mode installation.