# CCAT CA — Ceremony Supplies USB

This USB carries the software and documentation needed for the
**offline root ceremony** (Phase 2 of CCAT CA commissioning). Nothing
on this USB is secret. All security of the ceremony comes from
(a) this USB's contents being verifiable against `MANIFEST.sha256`
and (b) the ceremony being run from a RAM-only Ubuntu LTS Live USB
on an air-gapped laptop.

## Contents

```
README.md              this file
PLAYBOOK.md            sequential, copy-paste ceremony procedure (start here)
VERSIONS.txt           pinned Smallstep binary versions + prep timestamp
MANIFEST.sha256        SHA256 of every file in debs/, step/, docs/, and the two .md files
debs/                  opensc, pcscd, and their transitive dependencies
step/                  step-cli + step-kms-plugin .debs and upstream checksums
docs/                  offline reference docs (see below)
```

### docs/

| File | Purpose |
|------|---------|
| `ceremony-live-usb-setup.md` | Two-USB pattern, threat model, hygiene rules, ceremony-time verification |
| `COMMISSIONING-TODO.md` | Phase 2 checklist (pre-ceremony → ceremony → cutover → rehearsal) |
| `ca-architecture.md` | CA architecture & design — what the ceremony is *producing* (two-tier, two-HSM, lifetimes, GitHub-team gate) |
| `ca-provisioner-set.md` | Reference tables — the provisioner set, SSH access tiers, Ansible role tags |
| `ca-rotation-and-recovery.md` | Rotation procedures (relevant if the ceremony is being run for an emergency root rotation rather than first commissioning) |
| `certificate-authority-threat-model.md` | Broader CA threat model this ceremony slots into |

## What to do first, at ceremony time

Before installing anything, with the supplies USB mounted (typically
at `/media/ubuntu/SUPPLIES` on the Live USB):

```
cd /media/ubuntu/SUPPLIES
sha256sum -c MANIFEST.sha256
```

**Every line must say `OK`. If anything fails, stop the ceremony.**
Tampering between preparation and ceremony is the exact threat the
manifest defends against.

If the manifest passes, open `PLAYBOOK.md` and execute it
top-to-bottom. The playbook is the ceremony — `docs/` holds the
underlying reference material the playbook is condensed from.

## Physical discipline reminder

- Ethernet unplugged, Wi-Fi and Bluetooth off in BIOS, ceremony
  laptop booted from the **Ubuntu LTS Live USB (USB #1)**, "Try
  Ubuntu" chosen, internal disk NOT mounted.
- `nmcli radio all off` after boot as a belt-and-suspenders check.
- `ip link show | grep 'state UP'` — should show only loopback.
- Two HSM dongles in hand, four PINs agreed on paper (see
  `docs/COMMISSIONING-TODO.md` § "Pre-ceremony preparation").
- A reviewer/witness is on-site.

## After the ceremony

- Power off the laptop normally (not suspend).
- Label both USBs with the ceremony date.
- This supplies USB can be kept for the next ceremony **without
  re-plugging it into a network-connected machine**. The manifest
  check at the next ceremony re-verifies contents regardless.
- Public artefacts (`root_ca.crt`, `intermediate_ca.crt`,
  `ssh_user_ca.pub`, `ssh_host_ca.pub`, `FINGERPRINT.txt`) go on a
  **separate, clearly labelled export USB** — that is the only USB
  that moves back to an internet-connected machine.

## Provenance

`VERSIONS.txt` records exactly which Smallstep versions were staged
and when. The prep script (`prepare-ceremony-usb.sh`) lives in the
`system-integration` repo under `step-ca/`; the commit that produced
this USB is the canonical record of how it was built.