2.1 KiB
2.1 KiB
Runelab CA
A certificate authority for the HomeLab.
The setup was mostly done by following these two guides:
Notes of precaution
- The root key is a yubikey kept in a physical vault at a bank in Switzerland.
- All signings are done on an airgapped machine in a live-boot environment.
- This repo is transferred on and off the signing machine with a regular usb drive.
Setup
Required Software
Generating the Root
# Creating directory structure
mkdir {certs,crl,csr,newcerts,conf}
# Creating required files
touch database.txt
echo 1000 > serial
echo 1000 > crlnumber
# OpenSSL CA config file
vim config/ca.conf
# Setting up PKCS11
export PKCS11_MODULE_PATH="/usr/lib/libykcs11.so"
export MODULE_PATH="/usr/lib/libykcs11.so"
# Generating the root
openssl req -new -x509 -days 8000 -sha256 -extensions v3_ca -engine pkcs11 -keyform engine -key "pkcs11:object=Private key for PIV Authentication" -out certs/root.ca.cert.pem
Issuing Intermediaries
# Sign the Intermediary
openssl ca -config config/ca.conf -engine pkcs11 -keyform engine -keyfile "pkcs11:object=Private key for PIV Authentication" -extensions v3_intermediate_ca -days 1095 -notext -md sha256 -in csr/foobar.int.csr -out certs/foobar.int.cert.pem
# Add the CA to create a chain
echo certs/root.ca.cert.pem >> certs/foobar.int.cert.pem
Certificate Revocation List
Distribution point configured in under server_cert > crlDistributionPoints
This must be reissued every 180 days
# Revoke the certificate
openssl ca -config config/ca.conf -revoke certs/foobar.int.cert.pem
# Create the CRL file
openssl ca -config config/ca.conf -gencrl -out crl/ca.crl.pem -engine pkcs11 -keyform engine -keyfile "pkcs11:object=Private key for PIV Authentication"