daan/runelab-ca
1
0
Fork 0
Code Issues Activity
No description https://ca.boerlage.me/
6 commits 1 branch 0 tags 45 KiB
Find a file
Daan Boerlage 9fedaa045e
Document how to generate a key on a new yubikey
2024-02-12 21:02:44 +01:00
certs Remove the .keep files 2023-11-20 02:53:18 +01:00
config Initial Commit 2023-11-20 02:35:36 +01:00
crl Remove the .keep files 2023-11-20 02:53:18 +01:00
csr Remove the .keep files 2023-11-20 02:53:18 +01:00
newcerts Remove the .keep files 2023-11-20 02:53:18 +01:00
crlnumber Create CRL 2023-11-20 02:37:20 +01:00
crlnumber.old Create CRL 2023-11-20 02:37:20 +01:00
database.txt Issue intermediate for vault 2023-11-20 02:48:51 +01:00
database.txt.attr Issue intermediate for vault 2023-11-20 02:48:51 +01:00
database.txt.old Issue intermediate for vault 2023-11-20 02:48:51 +01:00
readme.md Document how to generate a key on a new yubikey 2024-02-12 21:02:44 +01:00
serial Issue intermediate for vault 2023-11-20 02:48:51 +01:00
serial.old Issue intermediate for vault 2023-11-20 02:48:51 +01:00

readme.md

Runelab CA

A certificate authority for the HomeLab.

The setup was mostly done by following these two guides:

Notes of precaution

  • The root key is a yubikey kept in a physical vault at a bank in Switzerland.
  • All signings are done on an airgapped machine in a live-boot environment.
  • This repo is transferred on and off the signing machine with a regular usb drive.

Setup

Required Software

macOS note: openssl installed via homebrew does not pickup on libp11, you need to manually copy the pkcs11 library (update the versions): cp /opt/homebrew/Cellar/libp11/0.4.12/lib/engines-3/pkcs11.dylib /opt/homebrew/Cellar/openssl@3/3.2.1/lib/engines-3/

Environment Variables

These must be set for all openssl operations.

Linux:

  • PKCS11_MODULE_PATH="/usr/lib/libykcs11.so"

macOS:

  • PKCS11_MODULE_PATH="/opt/homebrew/lib/libykcs11.dylib"

Setting up a new yubikey

The signing key on a yubikey is stored in slot 9a. On a new yubikey this slot is empty.

To generate a new key, run the following command: yubico-piv-tool -a generate -s 9a -A ECCP384

Generating the Root

# Creating directory structure
mkdir {certs,crl,csr,newcerts,conf}
# Creating required files
touch database.txt
echo 1000 > serial
echo 1000 > crlnumber
# OpenSSL CA config file
vim config/ca.conf
# Generating the root
openssl req -new -x509 -days 8000 -sha256 -extensions v3_ca -engine pkcs11 -keyform engine -key "pkcs11:object=Private key for PIV Authentication" -out certs/root.ca.cert.pem

Issuing Intermediaries

# Sign the Intermediary
openssl ca -config config/ca.conf -engine pkcs11 -keyform engine -keyfile "pkcs11:object=Private key for PIV Authentication" -extensions v3_intermediate_ca -days 1095 -notext -md sha256 -in csr/foobar.int.csr -out certs/foobar.int.cert.pem
# Add the CA to create a chain
echo certs/root.ca.cert.pem >> certs/foobar.int.cert.pem

Certificate Revocation List

Distribution point configured in under server_cert > crlDistributionPoints

This must be reissued every 180 days

# Revoke the certificate
openssl ca -config config/ca.conf -revoke certs/foobar.int.cert.pem
# Create the CRL file
openssl ca -config config/ca.conf -gencrl -out crl/ca.crl.pem -engine pkcs11 -keyform engine -keyfile "pkcs11:object=Private key for PIV Authentication"