FR: SmallStep CA server integration

I would like to know how much of the Certificate authentication can be performed by other CA/ACME servers? I would like to use those as they have automated certificate renewal and API control. If it can be integrated with SmallStep's implementation Certificate manager it would be ideal.

step-ca the CA management server can be found at smallstep/certificates, with the step CLI interface at smallstep/cli.

Something like this, or documentation for auto-renewal would really be great -- particularly for situations where it's more of a "home network".

e.g. I don't have my NAS, desktop, laptop, or my phone "managed" by something that I could easily tie in auto renew for. I'm not actually sure what would satisfy those requirements that could be used external to nebula -- particularly in the case of my phone.

It is worth mentioning that most work is on the CA server to implement it. There is also an issue open on step-ca side: smallstep/certificates#489

I'm currently working on a management system for nebula which will manage certificate signing and providing / updating config files for nodes. I can update this thread when its in a usable state. I looked at step-ca but with step being focused on x509 it would need a lot of changes. Another thing is step doesn't have built in config management (as far as I can tell).

For config management, I guess you mean some sort of API. That for sure will be something coming up, probably once multi step-ca config for step cli is figured out. They also support ssh certificate so I guess you could slot in arbitrary certificats once the standard is figured.

By config I mean managing the nebula node config.yml, so using the api (or a frontend which interacts with the api) it would be possible to modify firewall rules and groups etc for different nodes in the network, which the nodes could then pull from the management server. Not sure if this is what you mean with step?

Hmm not what I was thinking for step. For the step part it should be as simple as possible. Just the identities required to sign the certificates. For the rest, a separate interface like the one you're introducing would be awesome. One thing to confirm, does the CA sign stuff like the dns and so on or does that live purely on the client/lighthouse?

Yes I agree that step seems to be CA focused and a config stuff would sit better in a separate tool. Not sure about the dns stuff I'm afraid, I've still got lots to learn about nebula!

@b177y any public repo to watch progress?

I made the tools as part of a coursework which I've just finished, but they're not production ready and are more suited to smaller setups than large organisations with thousands of hosts. I'm planning to open source it anyway but I need to write up an overview and installation instructions first.

Here is a demo of the tools: https://www.youtube.com/watch?v=glIgz1huZPI

Looking back at the step CA idea I think this would be better for large production setups than a custom solution for nebula. An alternative to forking Step CA to add nebula certificate support that I've come across is to use ed25519 keys with SSH Certificates for nebula instead of the current custom certificate format nebula uses. Although the nebula nodes use X25519 keys rather than ed25519, these can be converted (see https://blog.filippo.io/using-ed25519-keys-for-encryption/) when nebula starts. This means that the step ssh ca could be used to get certificates that nebula could use.

I have finally got round to cleaning up the repo and making it public - it can be found at https://github.com/b177y/starship It isn't production ready but I thought it's worth making public anyway.

Hi, I'm closing this out as we think this is probably work to be done in a SmallStep repo, not the Nebula repo, and we don't have any work planned here. We can reopen this ticket in the future if necessary.