33 lines
986 B
Markdown
33 lines
986 B
Markdown
# Installation Authority Tooling
|
|
|
|
The Product Root private key must stay outside the repository and outside the
|
|
cluster database. The backend stores only the public key and signed activation
|
|
records.
|
|
|
|
Generate a Product Root key pair:
|
|
|
|
```powershell
|
|
go run scripts/installation/product-root-tool.go generate-key
|
|
```
|
|
|
|
Configure production backend nodes with the generated `public_key_b64`:
|
|
|
|
```powershell
|
|
$env:INSTALLATION_AUTHORITY_MODE = "strict"
|
|
$env:INSTALLATION_PRODUCT_ROOT_PUBLIC_KEY_B64 = "<public_key_b64>"
|
|
```
|
|
|
|
Create a signed first-owner activation manifest:
|
|
|
|
```powershell
|
|
go run scripts/installation/product-root-tool.go activate `
|
|
-private-key-file C:\secure\rap-product-root.json `
|
|
-install-id install-prod-001 `
|
|
-owner-email owner@example.com `
|
|
-expires-at 2026-05-01T00:00:00Z `
|
|
-environment production
|
|
```
|
|
|
|
Use the output `activation_payload` and `activation_signature` in the admin
|
|
panel first-owner screen or in `POST /api/v1/installation/bootstrap-owner`.
|