Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

View tashian's full-sized avatar

Carl Tashian tashian

View GitHub Profile

How to create and import a root CA key and certificate onto multiple YubiKeys (for backup / cold storage purposes), and use the root CA to sign a new intermediate CA on a different YubiKey that will be used with step-ca for online leaf certificate signing.

You will need:

  • ykman
  • step
  • step-kms-plugin
  • At least three YubiKeys with PIV support. One will be used for an online intermediate CA, and the rest will be for offline root CA backups.

First, on an airgapped machine, generate a key pair on disk:

@tashian
tashian / fetch_tpm_certs.sh
Last active October 10, 2023 20:03
Using a TPM EKcert as input, recursively fetch the TPM CA certificate chain
#!/bin/bash
# Using a TPM EKcert filename as input, this script recursively fetches TPM CA certificates.
# It depends on the EKcert having an AIA (Authority Information Access) Issuer URI field.
# This field is not required and may not be present.
# If available, the CA certificates will be saved into the current directory.
#
# To use this script, you will need the following programs:
# jq — https://jqlang.github.io/jq/
# step — https://smallstep.com/docs/step-cli/installation/
# curl
@tashian
tashian / Dockerfile.mongo.step_ca_bootstrap
Created October 5, 2021 20:24
A MongoDB Dockerfile that bootstraps with a step-ca Certificate Authority for root CA trust, using the step command
FROM smallstep/step-cli as step
FROM mongo
COPY --from=step /usr/local/bin/step /usr/local/bin/
ARG CA_URL
ARG CA_FINGERPRINT
ENV CA_URL=${CA_URL} CA_FINGERPRINT=${CA_FINGERPRINT}
RUN step ca bootstrap --ca-url $CA_URL --fingerprint $CA_FINGERPRINT --install
@tashian
tashian / Dockerfile.mongo.ca_bootstrap
Last active October 5, 2021 20:26
A MongoDB Dockerfile that bootstraps with a step-ca Certificate Authority for root CA trust
FROM mongo
ARG CA_URL
ARG CA_FINGERPRINT
ENV CA_URL=${CA_URL} CA_FINGERPRINT=${CA_FINGERPRINT}
RUN apt update; \
apt install -y --no-install-recommends \
curl \
jq \
openssl \
; \
@tashian
tashian / prometheus.yml
Last active May 4, 2021 22:38
Prometheus configuration file with TLS support
# my global config
global:
scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: 'prometheus'
# metrics_path defaults to '/metrics'
@tashian
tashian / aws-build-script.sh
Created April 21, 2021 17:39
Build step-ca on an AWS VM
#!/bin/bash
### Basic build environment #######
apt update
apt install -y make gcc ack libpcsclite-dev pkg-config unzip debhelper
apt upgrade -y
cd /root
## Install golang
@tashian
tashian / step-ca-launch.sh
Created April 21, 2021 16:29
Install & launch step-ca on a variety of Linux distros
#!/bin/bash
CA_NAME="Tiny"
ROOT_KEY_PASSWORD="smallsteplabs"
EMAIL="carl@smallstep.com"
AWS_ACCOUNT_ID="123123"
if [ -f /etc/os-release ]; then
# freedesktop.org and systemd
. /etc/os-release
@tashian
tashian / loki.yml
Last active May 4, 2021 23:42
Loki configuration for my homelab
# Loki config based on
# https://github.com/grafana/loki/blob/master/cmd/loki/loki-local-config.yaml
# The only thing I've changed is the server: block.
auth_enabled: false
server:
http_listen_address: 127.0.0.1
http_listen_port: 3100
grpc_listen_address: 127.0.0.1
@tashian
tashian / step-ca.json
Created January 26, 2021 22:00
Keycloak Client Settings for step-ca
{
"clientId": "step-ca",
"rootUrl": "http://127.0.0.1:10000",
"adminUrl": "http://127.0.0.1:10000",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"http://127.0.0.1:10000/*"
#!/bin/bash
#
# This script will get an SSH host certificate from our CA and add a weekly
# cron job to rotate the host certificate. It should be run as root.
#
# See https://smallstep.com/blog/diy-single-sign-on-for-ssh/ for full instructions
CA_URL="[Your CA URL]"
# Obtain your CA fingerprint by running this on your CA: