First things first, let’s make sure cert renewals are automated

I'd keep in mind that one specific Yubikey will become a Single Point of Failure. I could talk for a long time how consuming can customers' client certificate replacement be, plus redoing whole PKI from scratch.

yup that's correct

I was wondering this also

Glad it helped!

@@apalrdsadventures would this certificate process work well for jellyfin and jellyfin android and/or google tv clients? Thank you!

Thanks!

I haven't used step-cli for server certificates, just client ones, and I'm still working on a good process for dealing with those.

@@apalrdsadventures I'm using step-cli for systems where I don't want to configure and run caddy, so I can run prometheus exporters with a valid certificate (and mTLS at some point). I wrote an ansible playbook to bootstrap all of this but it's a bit hacky. Looking forward to see your experiments in this as well!

I did try other ACME clients with it as well (such as Proxmox's native ACME support), but Caddy was the easiest example. I currently have mTLS running with a cert on my laptop and workstation, but I'm still not happy with the deployment and renewal process yet for end users. It's great when it works though! No more logins (if the backend software supports it)

SSH keys are a bit of a different beast (since they aren't x.509 based), but they are still using the same underlying crypto (RSA + AES or ChaCha20) and still support certificate authorities and chains of trust. It's on my todo list, but the implementation is quite a bit different than TLS certificates.

It doesn't really matter either way. I was working with OpenSSL so I stuck with the OpenSSL cert generation workflow.

ed25519 is easier computationally than RSA, but the security level is roughly the same. It's widely preferred because it reduces the workload on web servers who need to sign TLS connections all the time. For root certs, we are signing things basically never, so compatibility is more important. For intermediates, we could go either way. In very niche applications, ed25519 was never accepted (i.e. NIST FIPS requirements for government work), so generally RSA is seen as more compatible. In theory there is also stuff that only supports RSA, but in reality that stuff probably doesn't support TLS >= 1.2 so you don't want to be using it anyway. As to generating the intermediate on the yubikey, yes, you can do that. You should still use an offline root though, with a shorter life on the yubikey, so you can replace the yubikey and sign a new intermediate in the future.

That should be fine. Just write the intermediate to the Yubikey, the root isn't needed there.

I'm not aware of any web browsers that support DANE in 2024, so it's kinda irrelevant now. If you use a Mobile Device Management (MDM) system such as Intune it can provision the root cert to devices for you. Otherwise you have to do it manually.

@@apalrdsadventures Thanks. Was looking for an alternative to just Intune (Am not a fan of Microsofts stuff). And who has money for an E5 or F5 license for a home lab?

There are other MDMs, but they all cost $.

I don't use Docker so that adaption is on you.

Most ACME clients default to either Let's Encrypt or require you add the ACME server. So you'll need to set your ACME directory in the config of the ACME client.

Yes, you still need to import the root cert on clients. However, you only need to do this once, not trust each service separately.

There are a ton of options for how to better secure the CA, but in general key rotation is the most effective. This is why it issues 24 hour certs over ACME, to minimize the fallout if a private key is compromised. -On a system with TPM2 you can secure boot your way to a validated kernel and initrd (either distro signed, or a specific image if you want, which means software updates will cause secure boot to fail), and from there you can mount the root partition (potentially encrypted via TPM also) to store the CA database (by default in Smallstep it's a BadgerDB key-value store). None of this protects your CA directly since the system is still decrypted while running (other than the Yubikey), but rebooting regularly at least means the kernel and initrd get re-validated. -If you keep an entirely airgapped machine with the root private key, you could re-issue Yubikeys regularly and physically change them out on the intermediate CAs. If you do this monthly, at worst the attacker can issue new certs valid for roughly a month. This would involve physically swapping out the yubikey monthly if you want to keep the root machine airgapped, or only booting it up every month to remotely sign the new intermediate keys. -Client certs (especially hardware-bound client certs) would really prefer a longer lifecycle than server certs since clients can be off-network for some period of time, so this is a consideration when you think of rekeying intervals, especially if clients need a still-valid client cert to renew.

With only one Yubikey in my setup, the goal is to keep the root totally offline (it has an extremely long validity) and periodically bring it out of offline storage to re-sign the Yubikey. This works well at this scale. Of course, the root could still be a Yubikey itself that I just plug in every time I need to re-key. The Yubikey itself is adequate to store a small number of certs/keys in hw and do some operations on them. The YubiHSM can store a lot more keys in hw, provide multiple access with different permissions to each key, supports Microsoft AD CA directly, and has built-in audit logging. So it depends on your needs.

So theoretically, having four yubikeys, one could create their root on one, sign three intermediates (or more if needed of course), and then use as needed? I believe the only caveat I found with using a YubiKey as the root storage is the size limitations. It won't go to 4096 RSA. That might be the main blocker for some wanting that route I guess. IIRC, YubiHSM has the same size restrictions, just more slots and control as you mentioned? I honestly may just look to getting some encrypted drives to store the private key, do all the offline isolated magic as you have, and have flexibility to move the key as I see fit. Good example could be flaws found in YubiKeys and replacements offered. Sure, you have the latest firmware, but zero way to truly upgrade to the patched one. Only replace. Thanks!

@apalrdsadventures please look into your autofocus settings

I have a tutorial on basic Proxmox networking (vlans, bridges, and bonds) and I’m working on new episodes with backend and SDN networking.

@@apalrdsadventures i saw that and that really helped me understanding those concepts. I was only using vlans prior to that. But what i am not able to understand is how to fit those concepts for my use case. Can you help me?

The downside to this is you can export the private key from a flash drive, so the extracted key file could be compromised. The Yubikey can't export the private key, only sign in hardware using the key. Smallstep also supports PKCS#11 HSMs including the TPM2 standard, which could be a good option on modern systems. But the Yubikey 5 is the cheapest HSM which Smallstep supports as far as I know.

@@apalrdsadventures If the private key was encrypted with a password generated from a checksum generated from another flash drive serving as the password for that encrypted key, would it still be a bad idea?

Ultimately the key needs to be decrypted to be used, so the information necessary to decrypt it is available to an attacker on the system. Would they figure it out? Maybe, maybe not.

@@apalrdsadventures If, in my example, I lose the second flash drive and do not write down its checksum for myself in a safe place (I would use SHA512) then I will not get to the private key. The attacker would have to figure out that the password is the checksum of the second flash drive.

The attacker would probably start by reading the Smallstep config file and finding where the private key is supposed to be stored, then looking for a key file in that location (presumably decrypted on boot into a RAM disk so Smallstep can use it). Ultimately, Smallstep needs to sign things and by reading the config file you can work backward to find the key / the script that loads the key on-demand.

Working on a good way to deploy client TLS certs, then I'll work on SSH certs with the CA

@@apalrdsadventures Personality doing the key distribute with cfengine - ce. Bit of a B to learn but now I love it!

Google pins their certificates and Chrome won't accept imposter certs for Google domains.

@@killer2600 I was using Google as a standin for any important website.

It looks like they don't have an option to do that easily in their gui

@@apalrdsadventures then I will try in the main config, this looks interesting.

The official guide from step-ca is on a pi. I just followed it and compiled without a problem.

Should be the same (in this scenario yubikey is treated as Smart card anyway)

There are a lot of uses for certs other than TLS server certs - for example I use this setup for TLS *client* certs, but it's also commonly used with VPN or WiFi certs for example.

21:45 might be a better idea to have the CA HTTPS SSL cert issues by Let's Encrypt or other trusted CA. To make sure what you are downloading is more likely to be correct.

Thanks! Fixed it! The command was correct, just the comment was off.

Yeah ! Great to hear you are going to do mutual-TLS ! Great stuff ! Some other tips: set up OCSP and/or CRL as well. Short lived keys is already a good start, but my guess is this won't be practical for the clients...?

The hard thing with CRLs/OCSP is most clients don't actually use them. But for mtls, I can at least force Caddy to query it (I think, I haven't tried). Currently for testing I issued 2 month certs for my test clients, but I'm not a huge fan of that. My *hope* was to use hardware-bound keys on clients to avoid the need for short-lived keys, but testing with Yubikeys it's a bit of a pain (Firefox makes you retype the PIN every few minutes) and Apple doesn't allow their hardware-bound keys to be used aside from with mobile device management apps. So now I need a new plan. For 'on-network' clients a few days cert and automation to renew would probably be fine, but more transient devices might still not be on once a week.

@@apalrdsadventures what I've done for now, I used it only for checking the status of the client-certificates for authenticating to the servers. So when I need to revoke a client-certificate (not often): I add the revoked client to the CRL-file signed by the CA and update the CRL on each server by hand. Not pretty, but at least it doesn't depend on an OCSP server being online, etc.

The root cert is stored offline after it's created, so only the intermediate cert is on the CA system at all. So now we have a shorter lifetime (1yr intermediate vs basically infinite) to begin with, which limits the length of an attack. You can reduce this time down further if you are willing to re-key the yubikey more often. Next, the Yubikey can't export it's private key, so while someone could sign their own certs using the Yubikey, they can't steal the private key itself, so they are limited in how fast they can sign new certs. If they are going through step-ca, it will only issue certs with a ~48hr validity, so that's the limit of what an attacker could get. If they manage to hijack the system entirely, then they could issue certs up to the validity of the intermediate cert on the Yubikey. All of this makes the PKI more secure than keeping the root cert on a server somewhere.

@@apalrdsadventures Thanks for responding. I agree with the benefits you mention but not sure I agree that they are valuable in a homelab. But I can imagine some scenarios that would benefit depending on what threats one is worried about.

Yes, but why? A given service can only use certs issued by one authority. Clients can trust any number of authorities. It’s also possible to issue 2 intermediates from the same root if you want multiple locations or redundancy.

@@apalrdsadventures not required, but one of the self-given challenges for my homelab is building unnecessary redundancies where possible

You can use the single offline root key to generate multiple intermediates for redundancy (on multiple yubikeys / ...), and then host multiple CAs using an intermediate key for each. All of them are signed by the root, so there's one hierarchy, but you can issue leaf certs from any intermediate.

​@@apalrdsadventuresit's possible to have 2 roots, you send the csr to be signed by different authorities, ones that's done the cert is trusted by both due to them having the same public key. This is how let's encrypt recent rolled over to a new root without needing to resign certs

Let's Encrypt signed their intermediate cert with two roots, ACME clients aren't really designed to issue from two CAs at once. You could do the same and sign the intermediate cert from two roots, but if you are looking for redundancy it would make more sense to replicate at the intermediate level (however you choose to do that)