This project aims to allow for easily provisioning a certificate authority on a Raspberry Pi 4 with keys stores on a permanently attached YubiKey.
This makes use of the following upstream projects:
- Step-CA.
- Raspberry Pi 4 UEFI Firmware (forked to enable 8GiB RAM+DeviceTree).
- Fedora CoreOS.
- Podman.
- 2x YubiKey with PIV capabilities (YubiKey NEO, or YubiKey 4/5)
- Root CA pair which can be used for signing Intermediate Certificates.
- Root CA certificate and Intermediate CA certificate and private key.
- 1x Raspberry Pi 4, any RAM size should suffice.
- SD-card or USB storage for Raspberry Pi.
- USB storage for Root CA to be held offline in a secure location.
- Installed Raspberry Pi Imager (rpi-imager).
Fedora CoreOS is installed via UEFI so please ensure your bootloader is up to date before continuing.
These steps should be done on an air gapped machine.
You will need 2 Yubikeys. One for your root certificate and key pair, and another for your intermediate certificate used to issue certificates used on end devices.
This is HIGHLY RECOMMENDED, please don't complain to me if you compromise your root key or lose them.
mkdir /tmp/stepca
STEPPATH=/tmp/stepca
step ca init --pki
Use the generated files in the next section.
Root CA YubiKey
Slot | Key |
---|---|
9a | Root Certificate and Key |
Intermedia CA YubiKey
Slot | Key |
---|---|
9a | Root Certificate |
9c | Intermediate Certificate and Key |
With your root ca key plugged in run:
ykman piv keys import 9a ${STEPPATH}/secrets/root_ca_key
ykman piv certificates import 9a ${STEPPATH}/certs/root_ca.crt
This stores your private key and certificate on your token.
With the Yubikey which will reside in your issuing CA run the following:
ykman piv certificates import 9a ${STEPPATH}/certs/root_ca.crt
ykman piv certificates import 9c ${STEPPATH}/certs/intermediate_ca.crt
ykman piv keys import 9c ${STEPPATH}/secrets/intermediate_ca_key
When the container starts up, it connects to the YubiKey and extracts the root and intermediate certificates and writes them to disk where step-ca references them.
Visit the releases page and download the latest Step-CA-FCOS-RaspberryPi4.img.xz, extract the archive and flash with Raspberry Pi Imager.
BEFORE YOU ATTEMPT BOOT READ THE CONFIGURATION SECTION
This file is located on the boot(,or second) partition of the storage device. This is the default ca.json for running via a YubiKey.
The most important parts of the configuration are the kms section, and
key being set too yubikey:slot-id=9c
.
The root and intermediate certificates are extracted from the YubiKey on first boot.
Please update the ca.json
file on the partition labelled boot
(second
partition) and update the kms.pin to match that of your YubiKey. The default
shipped PIN of 123456
is configured by default.
Please mount the partition labelled boot
(second partition).
Copy wifi.txt.example to wifi.txt and update the contents to match your access
point credentials.
PLEASE NOTE Fedora CoreOS doesn't ship with the firmware and software required to make the wireless chip in the Raspberry Pi 4 work out of the box. When this file is detected, on first boot it will install the required firmware and the additional wifi package for NetworkManager. This can take around an hour if your connection is slow.