plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

StepCA plugin with Yubikey

Open vpaprots opened this issue 1 year ago • 0 comments

StepCA is a Certificate Authority. It can issue certificates via ACME protocol. (The server-side of the ACME Client plugin)

This is quite ambitious 'first PR', but I wanted to know 'What Now?'. That is, I am at a point as described in https://forum.opnsense.org/index.php?topic=38819.msg190661#msg190661 and need to figure out how I will 'distribute' the plugin (and its port dependencies) to my 'production' router, so that it survives updates and reinstalls.

This is a personal project for my homelab. Is this something (the community? maintainers?) might be interested in? Does anyone even have the time to review something 'so big'? Alternatively, I believe there is a community repo.. or ultimately, I might have to push all the packages (and port dependencies) to github, just for my own build..

For a few years, I have been running StepCA on raspberypi (next to dnsmasq with dhcp) almost verbatim as described in this article: https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/. I am attempting to consolidate and simplify (my homelab).

image image image image

This plugin also requires ports

  • security/step-certificates
  • security/step-kms (https://github.com/opnsense/plugins/compare/master...vpaprots:plugins:stepca?expand=1)
  • devel/pcsc-lite (pulls in quite a few other dependencies)

Whats missing. StepCA has a lot of features. This plugin (currently) only supports ACME provisioner, and then only a subset. No attestation, no SSH certificates and no other provisioners. This is currently sufficient to issue x509 certificates with root and intermediate keys stored inside the yubikey.

(I am not sure if I will get to it, but.. future improvements.. SSH certificates are great when working correctly link, TPM attestation looks like an interesting security model and StepCA+Radius+OpenWRT might be another project. Especially if I can reuse those certificates for VPN)

PS: If you are reviewing this code, thank you! This is my first plugin, first time on FreeBSD and I haven't done much meaningful PHP development in more then a decade. I tried to follow the style as best as I could.

vpaprots avatar Oct 08 '24 03:10 vpaprots