From 043233f90f0c59629343d421d504d93be0b35ea4 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 24 Feb 2020 12:16:16 -0800 Subject: [PATCH 1/5] Update FAQ: I already have PKI --- docs/questions.md | 98 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 97 insertions(+), 1 deletion(-) diff --git a/docs/questions.md b/docs/questions.md index f930933c..f1daead4 100644 --- a/docs/questions.md +++ b/docs/questions.md @@ -106,7 +106,103 @@ automated method as your system grows. ## I already have PKI in place. Can I use this with my own root certificate? -Absolutely. [Details here]. +Yes. There's a easy way, and a longer but more secure way to do this. + +### Option 1: The easy way + +If you have your root CA signing key available, you can run: + +```bash +step ca init --root=[ROOT_CERT_FILE] --key=[ROOT_PRIVATE_KEY_FILE] +``` + +The root certificate can be in PEM or DER format, and the signing key can be a PEM file containing a PKCS#1, PKCS#8, or RFC5915 (for EC) key. + +### Option 2: More secure + +That said, CAs are usually pretty locked down and it's bad practice to move the private key around. So I'm gonna assume that's not an option and give you the more complex instructions to do this "the right way", by generating a CSR for `step-ca`, getting it signed by your exiting root, and configuring `step-ca` to use it. + +When you run `step ca init` we create a couple artifacts under `~/.step/`. The important ones for us are: + +- `~/.step/certs/root_ca.crt` is your root CA certificate +- `~/.step/secrets/root_ca_key` is your root CA signing key +- `~/.step/certs/intermediate_ca.crt` is your intermediate CA cert +- `~/.step/secrets/intermediate_ca_key` is the intermediate signing key used by `step-ca` + +The easiest thing to do is to run `step ca init` to get this scaffolding configuration in place, then remove/replace these artifacts with new ones that are tied to your existing root CA. + +First, `step-ca` does not actually need the root CA signing key. So you can simply remove that file: + +```bash +rm ~/.step/secrets/root_ca_key +``` + +Next, replace `step-ca`'s root CA cert with your existing root certificate: + +```bash +mv /path/to/your/existing/root.crt ~/.step/certs/root_ca.crt +``` + +Now you need to generate a new signing key and intermediate certificate, signed by your existing root CA. To do that we can use the `step certificate create` subcommand to generate a certificate signing request (CSR) that we'll have your existing root CA sign, producing an intermediate certificate. + +To generate those artifacts run: + +```bash +step certificate create "Intermediate CA Name" intermediate.csr intermediate_ca_key --csr +``` + +Next, you'll need to transfer the CSR file (`intermediate.csr`) to your existing root CA and get it signed. + +Now you need to get the CSR executed by your existing root CA. + +**Active Directory Certificate Services** + +```bash +certreq -submit -attrib "CertificateTemplate:SubCA" intermediate.csr intermediate.crt +``` + +**AWS Certificate Manager Private CA** + +Use [issue-certificate](https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaIssueCert.html) to process the CSR: + +```bash +aws acm-pca issue-certificate \ +--certificate-authority-arn "[AWS_PRIVATE_CA_ARN]" \ +--csr intermediate.csr \ +--template-arn "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1" \ +--signing-algorithm "SHA256WITHRSA" \ +--validity Value=365,Type="DAYS" +``` + +This command will return the ARN of the certificate created. Now use [get-certificate](https://docs.aws.amazon.com/cli/latest/reference/acm-pca/get-certificate.html) to fetch the intermediate certificate: + +```bash +aws acm-pca get-certificate \ + --certificate-authority-arn "[AWS_PRIVATE_CA_ARN]" \ + --certificate-arn "[CERTIFICATE_ARN]" \ + --output text > intermediate.crt +``` + +**OpenSSL** + +```bash +openssl ca -config [ROOT_CA_CONFIG_FILE] \ + -extensions v3_intermediate_ca \ + -days 365 -notext -md sha512 \ + -in intermediate.csr \ + -out intermediate.crt +``` + +This process will yield an `intermediate.crt` certificate. Transfer this file back to the machine running `step-ca`. + +Finally, replace the intermediate .crt and signing key produced by `step ca init` with the new ones we just created: + +```bash +mv intermediate.crt ~/.step/certs/intermediate_ca.crt +mv intermediate_ca_key ~/.step/secrets/intermediate_ca_key +``` + +That should be it! You should be able to start `step-ca` and the certificates should be trusted by anything that trusts your existing root CA. ## Further Reading From a1debf7b1efd8ce38ee1c29e3e8b31800ba33d16 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Wed, 26 Feb 2020 10:17:32 -0800 Subject: [PATCH 2/5] FAQ Update: Intermediate certificates should be valid for 10 years --- docs/questions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/questions.md b/docs/questions.md index f1daead4..ad1fbf7d 100644 --- a/docs/questions.md +++ b/docs/questions.md @@ -171,7 +171,7 @@ aws acm-pca issue-certificate \ --csr intermediate.csr \ --template-arn "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1" \ --signing-algorithm "SHA256WITHRSA" \ ---validity Value=365,Type="DAYS" +--validity Value=3650,Type="DAYS" ``` This command will return the ARN of the certificate created. Now use [get-certificate](https://docs.aws.amazon.com/cli/latest/reference/acm-pca/get-certificate.html) to fetch the intermediate certificate: @@ -188,7 +188,7 @@ aws acm-pca get-certificate \ ```bash openssl ca -config [ROOT_CA_CONFIG_FILE] \ -extensions v3_intermediate_ca \ - -days 365 -notext -md sha512 \ + -days 3650 -notext -md sha512 \ -in intermediate.csr \ -out intermediate.crt ``` From 76a077ba3ea6a02fedbbcaa6ab56ffe06f3e1d05 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Wed, 26 Feb 2020 10:59:38 -0800 Subject: [PATCH 3/5] Add CFSSL instructions --- docs/questions.md | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/docs/questions.md b/docs/questions.md index ad1fbf7d..12dc1647 100644 --- a/docs/questions.md +++ b/docs/questions.md @@ -193,7 +193,36 @@ openssl ca -config [ROOT_CA_CONFIG_FILE] \ -out intermediate.crt ``` -This process will yield an `intermediate.crt` certificate. Transfer this file back to the machine running `step-ca`. +**CFSSL** + +For CFSSL you'll need a signing profile that specifies a 10-year expiry: + +```bash +cat > ca-smallstep-config.json < Date: Wed, 26 Feb 2020 17:27:03 -0800 Subject: [PATCH 4/5] Replace broken aws-cli commands with a Python script --- docs/questions.md | 47 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 34 insertions(+), 13 deletions(-) diff --git a/docs/questions.md b/docs/questions.md index 12dc1647..8402a036 100644 --- a/docs/questions.md +++ b/docs/questions.md @@ -163,24 +163,45 @@ certreq -submit -attrib "CertificateTemplate:SubCA" intermediate.csr intermediat **AWS Certificate Manager Private CA** -Use [issue-certificate](https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaIssueCert.html) to process the CSR: +Here's a Python script that uses [issue-certificate](https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaIssueCert.html) to process the CSR: -```bash -aws acm-pca issue-certificate \ ---certificate-authority-arn "[AWS_PRIVATE_CA_ARN]" \ ---csr intermediate.csr \ ---template-arn "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1" \ ---signing-algorithm "SHA256WITHRSA" \ ---validity Value=3650,Type="DAYS" +```python +import boto3 +import sys + +AWS_CA_ARN = '[YOUR_PRIVATE_CA_ARN]' + +csr = ''.join(sys.stdin.readlines()) + +client = boto3.client('acm-pca') +response = client.issue_certificate( + CertificateAuthorityArn=AWS_CA_ARN, + Csr=csr, + SigningAlgorithm='SHA256WITHRSA', + TemplateArn='arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen1/V1', + Validity={ + 'Value': 5, + 'Type': 'YEARS' + } +) +print(f"Creating certificate with ARN {response['CertificateArn']}...", file=sys.stderr, end='') +waiter = client.get_waiter('certificate_issued') +waiter.wait( + CertificateAuthorityArn=AWS_CA_ARN, + CertificateArn=response['CertificateArn'] +) +print('done.', file=sys.stderr) +response = client.get_certificate( + CertificateArn=response['CertificateArn'], + CertificateAuthorityArn=AWS_CA_ARN +) +print(response['Certificate']) ``` -This command will return the ARN of the certificate created. Now use [get-certificate](https://docs.aws.amazon.com/cli/latest/reference/acm-pca/get-certificate.html) to fetch the intermediate certificate: +To run it, fill in the ARN of your CA and run: ```bash -aws acm-pca get-certificate \ - --certificate-authority-arn "[AWS_PRIVATE_CA_ARN]" \ - --certificate-arn "[CERTIFICATE_ARN]" \ - --output text > intermediate.crt +python issue_certificate.py < intermediate.csr > intermediate.crt ``` **OpenSSL** From be4b853d3a20276a96bee78edea0832a20c9039e Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 2 Mar 2020 09:45:21 -0800 Subject: [PATCH 5/5] Typo fix --- docs/questions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/questions.md b/docs/questions.md index 8402a036..1cfa534f 100644 --- a/docs/questions.md +++ b/docs/questions.md @@ -120,7 +120,7 @@ The root certificate can be in PEM or DER format, and the signing key can be a P ### Option 2: More secure -That said, CAs are usually pretty locked down and it's bad practice to move the private key around. So I'm gonna assume that's not an option and give you the more complex instructions to do this "the right way", by generating a CSR for `step-ca`, getting it signed by your exiting root, and configuring `step-ca` to use it. +That said, CAs are usually pretty locked down and it's bad practice to move the private key around. So I'm gonna assume that's not an option and give you the more complex instructions to do this "the right way", by generating a CSR for `step-ca`, getting it signed by your existing root, and configuring `step-ca` to use it. When you run `step ca init` we create a couple artifacts under `~/.step/`. The important ones for us are: