So you've set up a local certificate authority using the Smallstep CA software, and you're using it to issue x.509 certificates to resources on your LAN. Perhaps you followed their guide to set up a "tiny CA" using a Raspberry Pi, a YubiKey, and a hardware RNG. Now you'd like to use your certificate authority to issue SSH user and host certificates. Unfortunately, the Smallstep software doesn't make this simple, but it's still do-able. This guide will specifically address modifying the Raspberry Pi-based tiny CA to issue SSH certificates.
This guide assumes your Tiny CA is up and running without problems, and running at least version 0.15.8 of the step-ca software.
Before proceeding, you'll need to stop the CA software. Run systemctl stop step-ca
.
Next, you'll need to create the signing key pairs for host and user certificates. Run ykman piv generate-key --algorithm ECCP256 82 ssh_host_ca_key.pem
followed by ykman piv generate-key --algorithm ECCP256 83 ssh_user_ca_key.pem
.
You'll then need to convert the .pem
files to SSH format. Run ssh-keygen -i -f ssh_host_ca_key.pem -mPKCS8 > ssh_host_ca_key.pub
followed by
ssh-keygen -i -f ssh_user_ca_key.pem -mPKCS8 > ssh_user_ca_key.pub
. Move the .pub
files to /etc/step-ca/certs
.
You'll now need to make some edits to the Step CA config file, /etc/step-ca/config/ca.json
.
First, tell step-ca to look for the signing keys on the YubiKey. Following the kms
block, add the following:
},
"ssh": {
"hostKey": "yubikey:slot-id=82",
"userKey": "yubikey:slot-id=83"
},
The first closing brace in this section is already present, but make sure to add the comma after it.
Second, edit the first provisioner in this file (the JWK
one) to look like this:
{
"type": "JWK",
"name": "[email protected]",
"key": {
"use": "sig",
"kty": "EC",
"kid": "foo",
"crv": "P-256",
"alg": "ES256",
"x": "bar",
"y": "baz"
},
"encryptedKey": "baz",
"claims": {
"enableSSHCA": true
}
},
The part you're adding here is the claims
section, to enable you to issue SSH certificates using this provisioner.
You'll need to add another provisioner, which will be used for renewing host certificates. Run step ca provisioner add sshpop --type sshpop --ca-config /etc/step-ca/config/ca.json
.
Now, start the certificate authority again. Run systemctl start step-ca
. Confirm it's running with systemctl status step-ca
. If not, the most likely issue is JSON formatting--make sure your edits to ca.json
are formatted properly.
Your CA is now configured to issue SSH user and host certificates. You can add further provisioners as needed.