CCAT CA — Ceremony Supplies USB#

This USB carries the software and documentation needed for the offline root ceremony (Phase 2 of CCAT CA commissioning). Nothing on this USB is secret. All security of the ceremony comes from (a) this USB’s contents being verifiable against MANIFEST.sha256 and (b) the ceremony being run from a RAM-only Ubuntu LTS Live USB on an air-gapped laptop.

Contents#

README.md              this file
PLAYBOOK.md            sequential, copy-paste ceremony procedure (start here)
VERSIONS.txt           pinned Smallstep binary versions + prep timestamp
MANIFEST.sha256        SHA256 of every file in debs/, step/, docs/, and the two .md files
debs/                  opensc, pcscd, and their transitive dependencies
step/                  step-cli + step-kms-plugin .debs and upstream checksums
docs/                  offline reference docs (see below)

docs/#

File

Purpose

ceremony-live-usb-setup.md

Two-USB pattern, threat model, hygiene rules, ceremony-time verification

COMMISSIONING-TODO.md

Phase 2 checklist (pre-ceremony → ceremony → cutover → rehearsal)

ca-architecture.md

CA architecture & design — what the ceremony is producing (two-tier, two-HSM, lifetimes, GitHub-team gate)

ca-provisioner-set.md

Reference tables — the provisioner set, SSH access tiers, Ansible role tags

ca-rotation-and-recovery.md

Rotation procedures (relevant if the ceremony is being run for an emergency root rotation rather than first commissioning)

certificate-authority-threat-model.md

Broader CA threat model this ceremony slots into

What to do first, at ceremony time#

Before installing anything, with the supplies USB mounted (typically at /media/ubuntu/SUPPLIES on the Live USB):

cd /media/ubuntu/SUPPLIES
sha256sum -c MANIFEST.sha256

Every line must say OK. If anything fails, stop the ceremony. Tampering between preparation and ceremony is the exact threat the manifest defends against.

If the manifest passes, open PLAYBOOK.md and execute it top-to-bottom. The playbook is the ceremony — docs/ holds the underlying reference material the playbook is condensed from.

Physical discipline reminder#

  • Ethernet unplugged, Wi-Fi and Bluetooth off in BIOS, ceremony laptop booted from the Ubuntu LTS Live USB (USB #1), “Try Ubuntu” chosen, internal disk NOT mounted.

  • nmcli radio all off after boot as a belt-and-suspenders check.

  • ip link show | grep 'state UP' — should show only loopback.

  • Two HSM dongles in hand, four PINs agreed on paper (see docs/COMMISSIONING-TODO.md § “Pre-ceremony preparation”).

  • A reviewer/witness is on-site.

After the ceremony#

  • Power off the laptop normally (not suspend).

  • Label both USBs with the ceremony date.

  • This supplies USB can be kept for the next ceremony without re-plugging it into a network-connected machine. The manifest check at the next ceremony re-verifies contents regardless.

  • Public artefacts (root_ca.crt, intermediate_ca.crt, ssh_user_ca.pub, ssh_host_ca.pub, FINGERPRINT.txt) go on a separate, clearly labelled export USB — that is the only USB that moves back to an internet-connected machine.

Provenance#

VERSIONS.txt records exactly which Smallstep versions were staged and when. The prep script (prepare-ceremony-usb.sh) lives in the system-integration repo under step-ca/; the commit that produced this USB is the canonical record of how it was built.