How to create and import a root CA key and certificate onto multiple YubiKeys (for backup / cold storage purposes), and use the root CA to sign a new intermediate CA on a different YubiKey that will be used with step-ca for online leaf certificate signing.
You will need:
First, on an airgapped machine, generate a key pair on disk:
| #!/bin/bash | |
| # Using a TPM EKcert filename as input, this script recursively fetches TPM CA certificates. | |
| # It depends on the EKcert having an AIA (Authority Information Access) Issuer URI field. | |
| # This field is not required and may not be present. | |
| # If available, the CA certificates will be saved into the current directory. | |
| # | |
| # To use this script, you will need the following programs: | |
| # jq — https://jqlang.github.io/jq/ | |
| # step — https://smallstep.com/docs/step-cli/installation/ | |
| # curl |
| FROM smallstep/step-cli as step | |
| FROM mongo | |
| COPY --from=step /usr/local/bin/step /usr/local/bin/ | |
| ARG CA_URL | |
| ARG CA_FINGERPRINT | |
| ENV CA_URL=${CA_URL} CA_FINGERPRINT=${CA_FINGERPRINT} | |
| RUN step ca bootstrap --ca-url $CA_URL --fingerprint $CA_FINGERPRINT --install |
| FROM mongo | |
| ARG CA_URL | |
| ARG CA_FINGERPRINT | |
| ENV CA_URL=${CA_URL} CA_FINGERPRINT=${CA_FINGERPRINT} | |
| RUN apt update; \ | |
| apt install -y --no-install-recommends \ | |
| curl \ | |
| jq \ | |
| openssl \ | |
| ; \ |
| # my global config | |
| global: | |
| scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute. | |
| # A scrape configuration containing exactly one endpoint to scrape: | |
| # Here it's Prometheus itself. | |
| scrape_configs: | |
| # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config. | |
| - job_name: 'prometheus' | |
| # metrics_path defaults to '/metrics' |
| #!/bin/bash | |
| ### Basic build environment ####### | |
| apt update | |
| apt install -y make gcc ack libpcsclite-dev pkg-config unzip debhelper | |
| apt upgrade -y | |
| cd /root | |
| ## Install golang |
| #!/bin/bash | |
| CA_NAME="Tiny" | |
| ROOT_KEY_PASSWORD="smallsteplabs" | |
| EMAIL="carl@smallstep.com" | |
| if [ -f /etc/os-release ]; then | |
| # freedesktop.org and systemd | |
| . /etc/os-release | |
| OS=$NAME |
| # Loki config based on | |
| # https://github.com/grafana/loki/blob/master/cmd/loki/loki-local-config.yaml | |
| # The only thing I've changed is the server: block. | |
| auth_enabled: false | |
| server: | |
| http_listen_address: 127.0.0.1 | |
| http_listen_port: 3100 | |
| grpc_listen_address: 127.0.0.1 |
| { | |
| "clientId": "step-ca", | |
| "rootUrl": "http://127.0.0.1:10000", | |
| "adminUrl": "http://127.0.0.1:10000", | |
| "surrogateAuthRequired": false, | |
| "enabled": true, | |
| "alwaysDisplayInConsole": false, | |
| "clientAuthenticatorType": "client-secret", | |
| "redirectUris": [ | |
| "http://127.0.0.1:10000/*" |
| #!/bin/bash | |
| # | |
| # This script will get an SSH host certificate from our CA and add a weekly | |
| # cron job to rotate the host certificate. It should be run as root. | |
| # | |
| # See https://smallstep.com/blog/diy-single-sign-on-for-ssh/ for full instructions | |
| CA_URL="[Your CA URL]" | |
| # Obtain your CA fingerprint by running this on your CA: |