From aa7e6e087c34b77b1445e0a660b623f4928075cb Mon Sep 17 00:00:00 2001
From: Daan Boerlage <d@boerlage.me>
Date: Mon, 20 Nov 2023 02:35:36 +0100
Subject: [PATCH] Initial Commit

---
 certs/.keep            |   0
 certs/root.ca.cert.pem |  21 +++++++
 config/ca.conf         | 122 +++++++++++++++++++++++++++++++++++++++++
 crl/.keep              |   0
 crlnumber              |   1 +
 csr/.keep              |   0
 database.txt           |   0
 newcerts/.keep         |   0
 readme.md              |  61 +++++++++++++++++++++
 serial                 |   1 +
 10 files changed, 206 insertions(+)
 create mode 100644 certs/.keep
 create mode 100644 certs/root.ca.cert.pem
 create mode 100644 config/ca.conf
 create mode 100644 crl/.keep
 create mode 100644 crlnumber
 create mode 100644 csr/.keep
 create mode 100644 database.txt
 create mode 100644 newcerts/.keep
 create mode 100644 readme.md
 create mode 100644 serial

diff --git a/certs/.keep b/certs/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/certs/root.ca.cert.pem b/certs/root.ca.cert.pem
new file mode 100644
index 0000000..54f4158
--- /dev/null
+++ b/certs/root.ca.cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdTCCAl2gAwIBAgIUKNonBgSpTWBSoSiSNMGjwwpUaRwwDQYJKoZIhvcNAQEL
+BQAwSjELMAkGA1UEBhMCQ0gxDzANBgNVBAgMBlp1cmljaDEQMA4GA1UECgwHUnVu
+ZUxhYjEYMBYGA1UEAwwPUnVuZUxhYiBDQSBSb290MB4XDTIzMTEyMDAxMzUwN1oX
+DTQ1MTAxNTAxMzUwN1owSjELMAkGA1UEBhMCQ0gxDzANBgNVBAgMBlp1cmljaDEQ
+MA4GA1UECgwHUnVuZUxhYjEYMBYGA1UEAwwPUnVuZUxhYiBDQSBSb290MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztReqJFyiO07aaRMB/P3jGG9ixMR
+cyuz0nZvu1X1/o+J1dfy4Gev0lDXJ4PyV2FN4W6OKTnA+UV5/YiujvZuGZ+CEUSj
+5wwRckMP1HdK63RCxGfiolD5DYD8ERrEiEYwnLOtATcKJGlI7yBAWUKA6z6SB1pN
+NoiqpmWx+dNtHGpMCpCZpRY39CvO+3O5Lr6X5/1fVSE7KifrBRkNuvZPlZT7NkLx
+lKGiJ1+RKUFi0633sEcScgd6YHxHaO4LHKut7L5xKp39ADx6TslR1AotJYubA4U9
+QgORvbM6P0B+2mU0xz58l9euJpiyMWAMrKNVLrmig9XWuHjBO0wUv0gdUwIDAQAB
+o1MwUTAdBgNVHQ4EFgQU3EwOcWG3OKp4T1iFJ2YLcdYm7dswHwYDVR0jBBgwFoAU
+3EwOcWG3OKp4T1iFJ2YLcdYm7dswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
+AQsFAAOCAQEAuH1pDLfLQw+jfcTMWjg7DFjiaeQE4dHPtKxMHr/jYyeHRCg0dKTW
+Q5eJpGfFe0TWSwV5hOLQ8AHO9ocD0S0YzWuzfwvjDPVVsXf+LHvQuCakV7d4NLne
+Jk3BYaj+Yx0NuNA+EPs8K0c5hM61a97GxyixxYeWEBBfCsYsHnIw2cTLSTdge/oL
+k+hWde19v7ZA5U5g1Q5b/0lrMiwrDWn6xVydsJtcmqia1b3x5I/ZothM3BIhA3G9
+ghN2wH6BhyExedUaFN9dPewky7LjPgQj0gcrPJEO4GFAS+EZaCBmv2NKyJfuPp5W
+syG9PzEVsyT4d77UX1n8PRfgBTTe0hnBJw==
+-----END CERTIFICATE-----
diff --git a/config/ca.conf b/config/ca.conf
new file mode 100644
index 0000000..f0f0a4d
--- /dev/null
+++ b/config/ca.conf
@@ -0,0 +1,122 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = /home/daan/dev/homelab/ca
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/database.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+#private_key       = $dir/private/ca.key.pem
+certificate       = $dir/certs/root.ca.cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/ca.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 180
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+#nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+#nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+crlDistributionPoints = URI:https://ca.boerlage.me/ca.crl.pem
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
diff --git a/crl/.keep b/crl/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/crlnumber b/crlnumber
new file mode 100644
index 0000000..83b33d2
--- /dev/null
+++ b/crlnumber
@@ -0,0 +1 @@
+1000
diff --git a/csr/.keep b/csr/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/database.txt b/database.txt
new file mode 100644
index 0000000..e69de29
diff --git a/newcerts/.keep b/newcerts/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/readme.md b/readme.md
new file mode 100644
index 0000000..1f52191
--- /dev/null
+++ b/readme.md
@@ -0,0 +1,61 @@
+# Runelab CA
+
+A certificate authority for the HomeLab.
+
+The setup was mostly done by following these two guides:
+* [Jamie Nguyen's OpenSSL CA guide](https://jamielinux.com/docs/openssl-certificate-authority/introduction.html)
+* [Mour's](https://github.com/mylamour) [blog post Jamie's guide using an HSM](https://github.com/mylamour/blog/issues/80)
+
+## Notes of precaution
+
+* The root key is a yubikey kept in a physical vault at a bank in Switzerland.
+* All signings are done on an airgapped machine in a live-boot environment.
+* This repo is transferred on and off the signing machine with a regular usb drive.
+
+## Setup
+
+### Required Software
+
+* OpenSSL
+* [YKCS11](https://developers.yubico.com/yubico-piv-tool/YKCS11/)
+  * [AUR Link](https://aur.archlinux.org/packages/ykcs11-p11-kit-module)
+
+### Generating the Root
+
+```sh
+# Creating directory structure
+mkdir {certs,crl,csr,newcerts,conf}
+# Creating required files
+touch database.txt
+echo 1000 > serial
+echo 1000 > crlnumber
+# OpenSSL CA config file
+vim config/ca.conf
+# Setting up PKCS11
+export PKCS11_MODULE_PATH="/usr/lib/libykcs11.so"
+export MODULE_PATH="/usr/lib/libykcs11.so"
+# Generating the root
+openssl req -new -x509 -days 8000 -sha256 -extensions v3_ca -engine pkcs11 -keyform engine -key "pkcs11:object=Private key for PIV Authentication" -out certs/root.ca.cert.pem
+```
+
+### Issuing Intermediaries
+
+```sh
+# Sign the Intermediary
+openssl ca -config config/ca.conf -engine pkcs11 -keyform engine -keyfile "pkcs11:object=Private key for PIV Authentication" -extensions v3_intermediate_ca -days 1095 -notext -md sha256 -in csr/foobar.int.csr -out certs/foobar.int.cert.pem
+# Add the CA to create a chain
+echo certs/root.ca.cert.pem >> certs/foobar.int.cert.pem
+```
+
+### Certificate Revocation List
+
+Distribution point configured in under `server_cert` > `crlDistributionPoints`
+
+This must be reissued every 180 days
+
+```sh
+# Revoke the certificate
+openssl ca -config config/ca.conf -revoke certs/foobar.int.cert.pem
+# Create the CRL file
+openssl ca -config config/ca.conf -gencrl -out crl/ca.crl.pem -engine pkcs11 -keyform engine -keyfile "pkcs11:object=Private key for PIV Authentication"
+```
diff --git a/serial b/serial
new file mode 100644
index 0000000..83b33d2
--- /dev/null
+++ b/serial
@@ -0,0 +1 @@
+1000