runelab-ca/readme.md

# Runelab CA

A certificate authority for the HomeLab.

The setup was mostly done by following these two guides:

- [Jamie Nguyen's OpenSSL CA guide](https://jamielinux.com/docs/openssl-certificate-authority/introduction.html)
- [Mour's](https://github.com/mylamour) [blog post Jamie's guide using an HSM](https://github.com/mylamour/blog/issues/80)

## Notes of precaution

- The root key is a yubikey kept in a physical vault at a bank in Switzerland.

## Setup

### Required Software

- OpenSSL
- libp11
- [YKCS11](https://developers.yubico.com/yubico-piv-tool/YKCS11/)
  - [AUR Link](https://aur.archlinux.org/packages/ykcs11-p11-kit-module)

**macOS note:** openssl installed via homebrew does not pickup on libp11, you need to manually copy the pkcs11 library (update the versions):

```sh
cp /opt/homebrew/Cellar/libp11/0.4.12/lib/engines-3/pkcs11.dylib /opt/homebrew/Cellar/openssl@3/3.2.1/lib/engines-3/
```

### Environment Variables

These must be set for all openssl operations.

Linux:

- `PKCS11_MODULE_PATH="/usr/lib/libykcs11.so"`

macOS:

- `PKCS11_MODULE_PATH="/opt/homebrew/lib/libykcs11.dylib"`

### Setting up a new yubikey

The signing key on a yubikey is stored in slot 9a. On a new yubikey this slot is empty.

To generate a new key, run the following command:
`yubico-piv-tool -a generate -s 9a -A ECCP384`

### Generating the Root

```sh
# Creating directory structure
mkdir {certs,crl,csr,newcerts,conf}
# Creating required files
touch database.txt
echo 1000 > serial
echo 1000 > crlnumber
# OpenSSL CA config file
vim config/ca.conf
# Generating the root
openssl req -new -x509 -days 8000 -sha256 -extensions v3_ca -engine pkcs11 -keyform engine -key "pkcs11:object=Private key for PIV Authentication" -out certs/root.ca.cert.pem
```

### Issuing Intermediaries

```sh
# Sign the Intermediary
openssl ca -config config/ca.conf -engine pkcs11 -keyform engine -keyfile "pkcs11:object=Private key for PIV Authentication" -extensions v3_intermediate_ca -days 1095 -notext -md sha256 -in csr/foobar.int.csr -out certs/foobar.int.cert.pem
# Add the CA to create a chain
echo certs/root.ca.cert.pem >> certs/foobar.int.cert.pem
```

### Certificate Revocation List

Distribution point configured in under `server_cert` > `crlDistributionPoints`

This must be reissued every 180 days

```sh
# Revoke the certificate
openssl ca -config config/ca.conf -revoke certs/foobar.int.cert.pem
# Create the CRL file
openssl ca -config config/ca.conf -gencrl -out crl/ca.crl.pem -engine pkcs11 -keyform engine -keyfile "pkcs11:object=Private key for PIV Authentication"
```
Initial Commit 2023-11-20 02:35:36 +01:00			`# Runelab CA`

			`A certificate authority for the HomeLab.`

			`The setup was mostly done by following these two guides:`
readme formatting 2024-02-12 21:08:18 +01:00
			`- [Jamie Nguyen's OpenSSL CA guide](https://jamielinux.com/docs/openssl-certificate-authority/introduction.html)`
			`- [Mour's](https://github.com/mylamour) [blog post Jamie's guide using an HSM](https://github.com/mylamour/blog/issues/80)`
Initial Commit 2023-11-20 02:35:36 +01:00
			`## Notes of precaution`

readme formatting 2024-02-12 21:08:18 +01:00			`- The root key is a yubikey kept in a physical vault at a bank in Switzerland.`
Initial Commit 2023-11-20 02:35:36 +01:00
			`## Setup`

			`### Required Software`

readme formatting 2024-02-12 21:08:18 +01:00			`- OpenSSL`
			`- libp11`
			`- [YKCS11](https://developers.yubico.com/yubico-piv-tool/YKCS11/)`
			`- [AUR Link](https://aur.archlinux.org/packages/ykcs11-p11-kit-module)`
Document how to sign on macOS 2024-02-12 21:01:22 +01:00
			`macOS note: openssl installed via homebrew does not pickup on libp11, you need to manually copy the pkcs11 library (update the versions):`
readme formatting 2024-02-12 21:08:18 +01:00
			```sh
			`cp /opt/homebrew/Cellar/libp11/0.4.12/lib/engines-3/pkcs11.dylib /opt/homebrew/Cellar/openssl@3/3.2.1/lib/engines-3/`
			```
Document how to sign on macOS 2024-02-12 21:01:22 +01:00
			`### Environment Variables`

			`These must be set for all openssl operations.`

			`Linux:`

			- `PKCS11_MODULE_PATH="/usr/lib/libykcs11.so"`

			`macOS:`

			- `PKCS11_MODULE_PATH="/opt/homebrew/lib/libykcs11.dylib"`
Initial Commit 2023-11-20 02:35:36 +01:00
Document how to generate a key on a new yubikey 2024-02-12 21:02:44 +01:00			`### Setting up a new yubikey`

			`The signing key on a yubikey is stored in slot 9a. On a new yubikey this slot is empty.`

			`To generate a new key, run the following command:`
			`yubico-piv-tool -a generate -s 9a -A ECCP384`

Initial Commit 2023-11-20 02:35:36 +01:00			`### Generating the Root`

			```sh
			`# Creating directory structure`
			`mkdir {certs,crl,csr,newcerts,conf}`
			`# Creating required files`
			`touch database.txt`
			`echo 1000 > serial`
			`echo 1000 > crlnumber`
			`# OpenSSL CA config file`
			`vim config/ca.conf`
			`# Generating the root`
			`openssl req -new -x509 -days 8000 -sha256 -extensions v3_ca -engine pkcs11 -keyform engine -key "pkcs11:object=Private key for PIV Authentication" -out certs/root.ca.cert.pem`
			```

			`### Issuing Intermediaries`

			```sh
			`# Sign the Intermediary`
			`openssl ca -config config/ca.conf -engine pkcs11 -keyform engine -keyfile "pkcs11:object=Private key for PIV Authentication" -extensions v3_intermediate_ca -days 1095 -notext -md sha256 -in csr/foobar.int.csr -out certs/foobar.int.cert.pem`
			`# Add the CA to create a chain`
			`echo certs/root.ca.cert.pem >> certs/foobar.int.cert.pem`
			```

			`### Certificate Revocation List`

			Distribution point configured in under `server_cert` > `crlDistributionPoints`

			`This must be reissued every 180 days`

			```sh
			`# Revoke the certificate`
			`openssl ca -config config/ca.conf -revoke certs/foobar.int.cert.pem`
			`# Create the CRL file`
			`openssl ca -config config/ca.conf -gencrl -out crl/ca.crl.pem -engine pkcs11 -keyform engine -keyfile "pkcs11:object=Private key for PIV Authentication"`
			```