Getting Started Guide

This guide outlines the steps to start using the LAAVAT PKI and Signing Platform. Follow these instructions to configure your tenant, create products, manage cryptographic materials, and perform operations like image signing and device certificate issuance. This assumes that LAAVAT PKI and Signing Platform has been integrated to your Microsoft EntraID / Google Identity Platform.

Initial Configuration

1. Create Initial Groups:

   • Follow the Initial onboarding groups to set up initial configuration groups.
   • These groups are used to further configure the LAAVAT PKI and Signing Platform.

2. Register Tenant Information:

   • Refer to the onboarding documentation provided by LAAVAT to register your tenant details.

3. Wait for Service Deployment:

   • After LAAVAT deploys your tenant, proceed with the configuration steps below.

4. Create Configuration Request:

   • The LAAVAT PKI and Signing Platform uses group information from Entra ID or Google to control access to features.
   • To enable feature access, create a configuration request using the LAAVAT GUI or REST API, specifying the relevant configuration groups.
   • Refer to the API Documentation for REST API details.
   • Configuration changes can be made at any time as needed.

5. Approve Configuration Request:

   • An authorized person defined in the Initial Groups can approve the request via the LAAVAT GUI.

Product Creation

1. Create Certificate Profiles (if needed):

   • If the product requires a High Assurance Boot (HAB) or Advanced High Assurance Boot (AHAB) tree or signing certificates:
     • Plan the Certificate Revocation List (CRL) distribution and issuance frequency. Not relevant for HAB/AHAB certificates.
     • Create and upload certificate profiles via REST API.
   • Refer to the Certificate Management Guide for details.
   • Examples of Certificate profiles for different use cases are available here.

2. Plan and Create a Product:

   • Define the product based on your use case (e.g., image signing or device certificates).
   • Create authorization groups required for the product:
     • Each operation has an approval rule
     • Assign roles for product management and approval.
     • Ensure groups align with your security policies.
   • Examples of products for different use cases are available here.

3. Create Product Configuration:

   • Generate a product configuration JSON file specifying the required settings.

4. Upload Product Configuration:

   • Submit the configuration JSON to the LAAVAT Platform via REST API.
   • Approve Product Request:
     • A user with the product approval role must approve the request using the LAAVAT GUI.
     • Upon approval, the service generates the necessary cryptographic material.

Manufacturing

1. Distribute Cryptographic Material:

   • Download cryptographic materials (e.g., keys or certificates) from the LAAVAT Platform using REST API.
   • Distribute materials to relevant stakeholders securely.

2. Register a Client:

   • Register a client with a public key to enable decryption of JSON Web Encryption (JWE) payloads containing sensitive material.

Product Operations

Image Signing

1. Create Image Signing Request:

   • Generate an image signing request via REST API.
   • Specify the image and required signing parameters.
   • See examples:
     • CST tool signing
     • FIT signing
     • RAUC signing
     • Windows signing

2. Submit Request:

   • Send the request to the LAAVAT Platform via the REST API.

3. Approve Request:

   • Depending on authorization rules, an authorized user must approve the request via the GUI.
   • Download Signed Content:
     • Retrieve the processed (signed) content from the LAAVAT Platform.

Device Certificates

1. Create Certificate Signing Request (CSR):

   • Generate a CSR on the device and submit it to the LAAVAT Platform via the REST API.

2. Deploy Certificate:

   • Download the issued certificate from the LAAVAT Platform.
   • Deploy the certificate to the device for use.