Giter VIP home page Giter VIP logo

yubikey-openssl-ca's Introduction

Overview

This repo documents how to use a Yubikey as a root CA with domain constraints to limit issuing certs. Using environment variables is not recommended. It is only done here for demonstration purposes.

Package Requirements

yubico-piv-tool

Needed for the libykcs11.so.2 library

ykman

Needed to manage the pin, puk, and management key

gen_permitted.py

This script takes a list of domains and generate the name constraint list for you.

Example

$ python3 gen_permitted.py example.org example.com

permitted;DNS.0=example.org
permitted;DNS.1=example.com

permitted;URI.0=example.org
permitted;URI.1=.example.org
permitted;URI.2=example.com
permitted;URI.3=.example.com

permitted;email.0=example.org
permitted;email.1=.example.org
permitted;email.2=example.com
permitted;email.3=.example.com

Directory Setup

mkdir certs crl csr db public private
chmod 700 private
touch db/index
openssl rand -hex 16  > db/serial
echo 1001 > db/crlnumber

Yubikey

Demo environment variables

For demo purposes we have the Yubikey Pin stored in a file called yk-vars and use the default pins

YK_MANAGEMENT=[GENERATED MANAGEMENT KEY]
YK_PIN=123456
YK_PUK=12345678
SSL_O="Demo"
SSL_C="US"

Set PIN and PUK Retries (Optional)

This will reset the pin to default ykman piv access set-retries 10 5

Generate Management Key and Require Touch

ykman piv access change-management-key -a AES256 -g -t

Set PIN

ykman piv access change-pin -P 123456

Set PUK

ykman piv access change-puk -p 12345678

Enable all keys for PKCS11

(Yubico's docs are not correct for object import since it doesn't convert the hex string to binary) echo -n C10114C20100FE00 | xxd -r -p > /tmp/yk_all_objects ykman piv objects import 0x5FC10C /tmp/yk_all_objects

One liner with environment variables

echo -n C10114C20100FE00 | xxd -r -p | ykman piv objects import 0x5FC10C - -P $YK_PIN -m $YK_MANAGEMENT

Generate key and write public key to public/root.pem

ykman piv keys generate -a ECCP384 -F pem --pin-policy ALWAYS --touch-policy ALWAYS 9c -m $YK_MANAGEMENT -P $YK_PIN public/root.pem

Root certificate

CA Setup

Notes

You may need to change the line MODULE_PATH in the pkcs11_section of root.cnf depending on your OS

CSR

openssl req -new -config root.cnf -engine pkcs11 -keyform engine -key "pkcs11:object=Private key for Digital Signature;type=private" -out csr/root.csr

Self Sign

openssl ca -selfsign -config root.cnf -in csr/root.csr -out certs/root.crt -extensions ca_ext -keyform engine -engine pkcs11

Import x509 to Yubikey

ykman piv certificates import -m $YK_MANAGEMENT -P $YK_PIN 9c certs/root.crt

CRL

Generate CRL

openssl ca -config root.cnf -keyform engine -engine pkcs11 -gencrl -out crl/root.crl -cert certs/root.crt

OCSP Cert

Generate EC Params

openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:secp384r1 -out ECPARAM.pem

Generate EC Key and CSR

openssl req -new -config root.cnf -newkey ec:ECPARAM.pem -subj "/C=$SSL_C/O=$SSL_O/CN=OCSP Root Responder" -keyout private/root-ocsp.key -out root-ocsp.csr

Create OCSP Cert

Optional and this cert can not be revoked. openssl ca -config root.cnf -keyform engine -engine pkcs11 -in root-ocsp.csr -out root-ocsp.crt -extensions ocsp_ext -days 365

Notes

p11-tool

Using p11-tool requires telling it to use the libykcs11.so.2 library. alias p11tool-yk="p11tool --provider /usr/lib64/libykcs11.so.2"

References

Openssl Cookbook: Creating a Root CA
Smallstep: Build a Tiny Certificate Authority For Your Homelab
Yubico: Certificate Authority with a YubiKey

Allowing Retired Management keys

Retired PIV Slots Unavailable When Accessing via PKCS11

http://cedric.dufour.name

Yubikey PIV Info
General PKCS11 Info

yubikey-openssl-ca's People

Contributors

scj643 avatar

Stargazers

Jason Todd avatar A1ca7raz avatar avatar Royce Williams avatar Sofía Aritz avatar Ricky avatar avatar spiri-leo avatar Jim avatar Greg Broiles avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.