PKI 管理
cfssl working directory
code:a.sh
sudo cryptsetup luksFormat /dev/nvmeXXX
sudo cryptsetup config /dev/nvmeXXX --label vault-101-cfssl_luks
sudo cryptsetup luksOpen /dev/disk/by-label/vault-101-cfssl_luks vault-101-cfssl
sudo mount /dev/mapper/vault-101-cfssl
sudo mkdir -p /mnt/cfssl/data/root-g1/intermediates
code:a2.sh
sudo cryptsetup luksOpen /dev/disk/by-label/vault-101-cfssl_luks vault-101-cfssl
sudo mount /dev/mapper/vault-101-cfssl
code:b.sh
sudo umount /mnt/cfssl
sudo cryptsetup close vault-101-cfssl
cfssl Root
code:config.json
{
"signing": {
"profiles": {
"rootca": {
"expiry": "87600h"
},
"ca": {
"expiry": "10920h",
"ca_constraint": {
"is_ca": true,
"max_path_len": 0,
"max_path_len_zero": true
},
}
},
"default": {
"expiry": "480h"
}
},
"auth_keys": {
},
"remotes": {
}
}
code:db_config.json
{"driver": "sqlite3", "data_source": "/mnt/cfssl/data/root-g2/certstore_production.db"}
code:csr.json
{
"CN": "nkmi.me Private Root CA - G2",
"key": {
"algo": "rsa",
"size": 2048
},
"ca": {
"expiry": "87600h"
},
"names": [
{
"C": "JP",
"O": "nkmi.me"
}
]
}
code:a.sh
cd /mnt/cfssl/data/root-g2
/mnt/cfssl/vendor/goose -path /mnt/cfssl/vendor/cfssl/certdb/sqlite -env production up
cfssl gencert -config config.json -profile rootca -initca csr.json | cfssljson -bare ca
aws s3 cp ca.pem s3://nkmi-pki-public/root-g2/root-g2.crt
Update cfssl CRL
オフラインCAなのでながめにexpiryを取ってS3に投げておく
code:a.sh
cd /mnt/cfssl/root-g1
cfssl crl -ca ca.pem -ca-key ca-key.pem -expiry=10920h -db-config db_config.json| base64 -d > ca.crl
aws s3 cp ca.crl s3://nkmi-pki-public/root-g1/root-g1.crl
Vault Intermediate CA from cfssl root
code:a.tf
resource "vault_mount" "pki_clients-g1" {
type = "pki"
path = "pki/clients/g1"
default_lease_ttl_seconds = 3456000
max_lease_ttl_seconds = 7776000
}
resource "vault_pki_secret_backend_intermediate_cert_request" "clients-g1" {
backend = vault_mount.pki_clients-g1.path
type = "internal"
country = "JP"
organization = "nkmi.me"
common_name = "nkmi.me Private CA Clients - G1"
key_type = "rsa"
key_bits = 2048
}
code:a.sh
terraform apply
terraform state pull | jq -r '[.resources[] | select(.type == "vault_pki_secret_backend_intermediate_cert_request" and .name == "clients-g5")]0.instances0.attributes.csr' > /tmp/csr.pem openssl req -in /tmp/csr.pem -text
code:b.sh
cd /mnt/cfssl/data/root-g1/intermediates/clients-g1
cfssl sign -db-config ../../db_config.json -config ../../config.json -profile ca -ca ../../ca.pem -ca-key ../../ca-key.pem ca.csr | cfssljson -bare ca
aws s3 cp ca.pem s3://nkmi-pki-public/root-g2/subordinates/clients-g1.crt
openssl x509 -in ca.pem -text
code:c.sh
cat > /tmp/ca.pem
vault write pki/clients/g1/intermediate/set-signed certificate=@/tmp/ca.pem
Step intermediate CA from cfssl root
AD CS Intermediate CA from cfssl root
code:a.ps1
certutil -dspublish -f .\Downloads\nkmi.me-root-g2.pem RootCA
code:b.ps1
Install-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority `
-CACommonName "nkmi.me Private AD CA - coney" `
-CADistinguishedNameSuffix "O=nkmi.me,C=JP" `
-CAType EnterpriseSubordinateCA `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-DatabaseDirectory "C:\Windows\system32\CertLog" `
-LogDirectory "C:\Windows\system32\CertLog" `
-HashAlgorithmName "SHA256" `
-KeyLength 2048 `
-OutputCertRequestFile C:\adcs.csr
code:c.ps1
Write-S3Object -Region us-west-2 -Bucket ... -Key ad/coney/g2.csr -File 'C:\coney.csr'
code:c.sh
cd /mnt/cfssl/data/root-g2/subordinates/ad-coney-g3
cfssl sign -config ../../config.json -db-config ../../db_config.json -profile ca -ca ../../ca.pem -ca-key ../../ca-key.pem ca.csr csr.json
CNはRenewの際でも更新不能なので注意
CRL, AIA ファイルの配布
Start 前に mmc → Certification Authority → {server_name} → Properties → Extension から下記などを追加しておく
pkiview.msc を確認してエラーがないようにする
証明書テンプレート
Certificate Templates スナップインで追加後、Certification Authority スナップインから AD CS CA に紐付けしてあげる必要がある…。