PKI with step-ca
I use the excellent tutorial
https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/
- installed ubuntu-22.04.4-preinstalled-server-arm64+raspi.img
- apt-get update; apt-get dist-upgrade
Yubikey
- apt install -y yubikey-manager
Go
root@ca:~# tar -C /usr/local -xzf go1.23.0.linux-arm64.tar.gz
root@ca:~# echo "export PATH=\$PATH:/usr/local/go/bin" >> .profile
root@ca:~# source .profile
root@ca:~# go version
go version go1.23.0 linux/arm64
---++ BUILD AND INSTALL STEP-CA AND STEP
1 vim CHANGES
2 ip ad
3 cd
4 apt-get update
5 uname -a
6 apt-get dist-upgrade
7 ntpq -p
8 date
9 vim /boot/firmware/network-config
10 reboot
11 uname -a
12 uname -a >> CHANGES
13 vim CHANGES
14 vim /etc/systemd/timesyncd.conf
15 timedatectl show-timesync --all
16 vim /etc/systemd/timesyncd.conf
17 systemctl restart systemd-timesyncd
18 timedatectl show-timesync --all
19 timedatectl status
20 apt install -y yubikey-manager
21 curl -OL https://go.dev/dl/go1.23.0.linux-arm64.tar.gz
22 tar -C /usr/local -xzf go1.23.0.linux-arm64.tar.gz
23 echo "export PATH=\$PATH:/usr/local/go/bin" >> .profile
24 source .profile
25 go version
26 curl -OL https://github.com/smallstep/certificates/releases/download/v0.27.2/step-ca_0.27.2.tar.gz
27 mkdir step-ca
28 ls
29 tar -xvzf step-ca_0.27.2.tar.gz -C step-ca
30 cd step-ca/
31 ls
32 apt-get install -y libpcsclite-dev gcc make pkg-config
33 make bootstrap
34 make build GOFLAGS=""
35 cp bin/step-ca /usr/local/bin
36 setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/step-ca
37 step-ca version
38 cd
39 sha256sum step-ca_0.27.2.tar.gz
40 history
41 curl -OL https://dl.smallstep.com/gh-release/cli/gh-release-header/v0.27.2/step_linux_0.27.2_arm64.tar.gz
42 sha256sum step_linux_0.27.2_arm64.tar.gz
43 tar xvzf step_linux_0.27.2_arm64.tar.gz
44 cp step_0.23.2/bin/step /usr/local/bin
45 cp step_0.27.2/bin/step /usr/local/bin
46 step version
47 ykman info
48 fdisk -l
49 fdisk /dev/sda
50 mkfs.ext4 /dev/sda1 -v
51 mount /dev/sda1 /mnt
52 cd /mnt
53 mkdir ca
54 ll
55 chown ubuntu:ubuntu ca
8 sudo chown pitz:pitz ca
9 ll
10 export STEPPATH=/mnt/ca
11 step ca init --pki --name="s2p" --deployment-type standalone
12 sudo systemctl enable pcscd
13 sudo systemctl start pcscd
14 ykman piv certificates import 9a /mnt/ca/certs/root_ca.crt
15 ykman piv keys import 9a /mnt/ca/secrets/root_ca_key
16 ykman piv certificates import 9c /mnt/ca/certs/intermediate_ca.crt
17 ykman piv keys import 9c /mnt/ca/secrets/intermediate_ca_key
18 ykman piv info
19 sudo cp /mnt/ca/certs/intermediate_ca.crt /mnt/ca/certs/root_ca.crt /root
20 cd
21 sudo umount /mnt
27 sudo useradd step
28 sudo passwd -l step
29 sudo mkdir /etc/step-ca
30 export STEPPATH=/etc/step-ca
31 sudo --preserve-env step ca init --name="s2p CA" --dns="ca.in.s2p.de,192.168.111.9" --address=":443" --provisioner="ca@s2p.de" --deployment-type standalone --remote-management
32 sudo mv /root/root_ca.crt /root/intermediate_ca.crt /etc/step-ca/certs
33 sudo rm -rf /etc/step-ca/secrets
34 ykman piv change-pin
35 ykman piv access change-pin
36 ykman piv change-puk
37 ykman piv access change-puk
38 ykman piv change-management-key
39 ykman piv access change-management-key
40 ykman piv access change-management-key -h
41 ykman piv access change-management-key
42 sudo vim /etc/step-ca/config/ca.json
43 sudo chown -R step:step /etc/step-ca
44 sudo -u step step-ca /etc/step-ca/config/ca.json
45 sudo tee /etc/udev/rules.d/75-yubikey.rules > /dev/null << EOF
46 ACTION=="add", SUBSYSTEM=="usb", ENV{PRODUCT}=="1050/120/*", TAG+="systemd", SYMLINK+="yubikey"
47 ACTION=="remove", SUBSYSTEM=="usb", ENV{PRODUCT}=="1050/120/*", TAG+="systemd"
48 EOF
49 cat /etc/udev/rules.d/75-yubikey.rules
50 sudo udevadm control --reload-rules
51 sudo tee /etc/systemd/system/step-ca.service > /dev/null << EOF
52 [Unit]
53 Description=step-ca
54 BindsTo=dev-yubikey.device
55 After=dev-yubikey.device
56 [Service]
57 User=step
58 Group=step
59 ExecStart=/bin/sh -c '/usr/local/bin/step-ca /etc/step-ca/config/ca.json'
60 Type=simple
61 Restart=on-failure
62 RestartSec=10
63 [Install]
64 WantedBy=multi-user.target
65 EOF
66 sudo mkdir /etc/systemd/system/dev-yubikey.device.wants
67 sudo ln -s /etc/systemd/system/step-ca.service /etc/systemd/system/dev-yubikey.device.wants/
68 sudo systemctl daemon-reload
69 sudo systemctl enable step-ca
70 sudo systemctl status step-ca
71 sudo systemctl daemon-reload
72 sudo systemctl enable step-ca
73 sudo systemctl status step-ca
74 sudo reboot
75 sudo vim /etc/hosts
76 ping ca.in.s2p.de
77 step ca bootstrap --ca-url "https://ca.in.s2p.de" --fingerprint e7kdjljfskljfklakldjfskljlasjs;ljlcb
78 step ca certificate "localhost" localhost.crt localhost.key
79 step certificate inspect localhost.crt --short
80 step ca provisioner add acme --type acme --admin-name step
81 history
1031 step ca certificate m900.fritz.box m900.fritz.box.crt m900.fritz.box.key --not-after=8760h --kty=RSA
1036 vim step.password.txt
1037 step ca certificate m900.fritz.box m900.fritz.box.crt m900.fritz.box.key --not-after=8760h --kty=RSA --password-file=./step.password.txt
1038 step ca certificate m900.fritz.box m900.fritz.box.crt m900.fritz.box.key --not-after=8760h --kty=RSA --password-file=./step.password.txt
1040 step ca sign 060711000680_https.req.txt m900.fritz.box.crt
1041 step ca sign 060711000680_https.req.txt m900.fritz.box.crt --not-after=8760h
