Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

StepCA plugin with Yubikey #4283

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Conversation

vpaprots
Copy link

@vpaprots vpaprots commented Oct 8, 2024

StepCA is a Certificate Authority. It can issue certificates via ACME protocol. (The server-side of the ACME Client plugin)

This is quite ambitious 'first PR', but I wanted to know 'What Now?'. That is, I am at a point as described in https://forum.opnsense.org/index.php?topic=38819.msg190661#msg190661 and need to figure out how I will 'distribute' the plugin (and its port dependencies) to my 'production' router, so that it survives updates and reinstalls.

This is a personal project for my homelab. Is this something (the community? maintainers?) might be interested in? Does anyone even have the time to review something 'so big'? Alternatively, I believe there is a community repo.. or ultimately, I might have to push all the packages (and port dependencies) to github, just for my own build..

For a few years, I have been running StepCA on raspberypi (next to dnsmasq with dhcp) almost verbatim as described in this article: https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/. I am attempting to consolidate and simplify (my homelab).

image image image image

This plugin also requires ports

Whats missing. StepCA has a lot of features. This plugin (currently) only supports ACME provisioner, and then only a subset. No attestation, no SSH certificates and no other provisioners. This is currently sufficient to issue x509 certificates with root and intermediate keys stored inside the yubikey.

(I am not sure if I will get to it, but.. future improvements.. SSH certificates are great when working correctly link, TPM attestation looks like an interesting security model and StepCA+Radius+OpenWRT might be another project. Especially if I can reuse those certificates for VPN)

PS: If you are reviewing this code, thank you! This is my first plugin, first time on FreeBSD and I haven't done much meaningful PHP development in more then a decade. I tried to follow the style as best as I could.

@Basanites
Copy link

Looking into hosting smallstep myself, I came upon your PR. I would also love to see this feature added to opnsense!
Lets hope a maintainer finds time to review this (arguably gigantic) PR 😁

@vpaprots
Copy link
Author

vpaprots commented Dec 9, 2024

Looking into hosting smallstep myself, I came upon your PR. I would also love to see this feature added to opnsense! Lets hope a maintainer finds time to review this (arguably gigantic) PR 😁

It should be possible to install the pluggin (i.e. for testing) with a 'one liner pkg command'. I have it somewhere in my notes, but I haven't touched this in a while. With Christmas break, might get back and add some of those notes here.. I never figured how to run my own repo, but pkg can pick things up off github iirc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants