The SCION CPPKI requires some ASes to act as Certificate Authorities (CA) in their local ISD. These ASes need to provide a certificate renewal service to their customer ASes. The certificate renewal request is sent via SCION to the Anapaya appliance in the CA AS. On successful certificate issuance, the CA returns a valid SCION CPPKI Certificate Chain consisting of the SCION CPPKI AS and CA certificates. This document describes the different deployment models the Anapaya appliance supports for such a CA AS, and goes into details on the configuration and operations of the standard solution (Anapaya SCION CA).
The rest of the chapter only explains the configuration and operation of the Vault-based Anapaya SCION CA.
The Anapaya Appliance supports multiple deployment models for a SCION CPPKI Certificate Authority (CA). The different models are tailored to address different needs and requirements. In the rest of this section, these models are explained in more detail.