It's very nice to have communication between your local services protected by TLS, using short lived certificates.
Smallstep offers a certificate authority that can use a Yubikey for storage of the certificates. But to get yubikey support you need to enable it during compilation, which the prebuilt binaries for Debian don't have. They offer a Docker container with Yubikey/HSM support, but I want to use a virtual machine for stronger isolation from other processes.
Luckily the Alpine Linux maintainers offer a package with Yubikey support compiled in right out of the box.
After it is setup a backup of my Alpine VM takes up 113 MB, compared to my previous Debian VM that use up ~2 GB.
To keep the private keys off your system you can boot up a live CD or spin up a temporary LXC container with a Linux distribution as suggested in apalrd's tutorial, and generate them using openssl. Then install yubikey-manager as described to load the yubikey slot with the keys. If you use a different system for this you avoid having unnecessary software and libraries in your production system that you don't need for the operation of teh CA and ACME server.
Then you can copy the keys and certs to a LUKS encrypted drive (or password manager etc) for long term storage, and later copy root/intermediate certificates to the virtual machine using scp, USB drive or any other method.
Since I already had keys on my Yubikey I didn't do this step now, I would probably chose the simpler option of installing the step-kms-plugin package in Alpine and let step-cli create the key directly on the Yubikey.
See smallstep's yubikey page
Apalrd's tutorial suggest using bare metal but I chose to create a virtual machine on Proxmox.
Create a virtual machine using the latest Alpine-virtISO-image, I used 1 core and 256MB RAM.
Make sure you pass through the USB device to your VM in the Hardware tab in Proxmox.
Also enable QEMU Guest Agent in teh Options tab, and check Start at boot.
Set up a DNS name in your router so the VM is reachable by DNS name instead of IP.
Log into your VM and run the setup-alpine script.
After completed, shutdown the server.
Remove the CD drive, and set hdd as only boot option in the Options tab.
Enable the community repo by uncomment the line in /etc/apk/repositories using a text editor.
Update repos and install the required packages.
qemu-guest-agent is a helper for QEMU virtual machines to be able to start and stop them from proxmox.
Here the ccid and pcsc-lite packages enable communication with the USB smart card (Yubikey).
Then run the step ca init command described in apalrd's blog post.
This create new certs which you can delete immediatley.
Choose a password for the provisioner and save it in your password manager.
You will need this password if you want to generate certs (for example to use mTLS) directly on the host (not using ACME).
Delete the contents of the /etc/step-ca/certs and /etc/step-ca/certs
Copy the certs from your temporary system into this directory using scp or by USB stick/whatever method.
SCP needs SSH server that you can deactivate later if you want.
If you want SSH enabled then please follow best practices and enable key based authentication with password protected keys.
Note:
If you use the package step-kms-plugin to create your PKI, then create a password file using openssl or your password manager:
I didn't do that because I created the PKI using OpenSSL on a different system as in apalrd's tutorial, so I commented out the lines in the OpenRC service file.
The service file is /etc/init.d/step-ca
In this case of not using step_kms_plugin comment out/remove the pre-start check regarding the variable password_file.
In hindsight, It would probably be easier to use the "step kms create" command and create the PKI directly on the Yubikey, but that's for a different day.
Add the service files for pcscd, step-ca and qemu-guest-agent to runlevel default for both to start at boot:
Add the STEPPATH environment variable to /etc/profile
Add an ACME provisioner:
Reboot the VM and check so that everything works and the processes started successfully and that you can reach https://<your-dns-name>/roots.pem
Now you can add the ACME account to Proxmox.
Go to Datacenter/ACME and create ana ccount with the following URL:
If you need to renew the certs run:
Please comment and see if you can follow through.
Smallstep offers a certificate authority that can use a Yubikey for storage of the certificates. But to get yubikey support you need to enable it during compilation, which the prebuilt binaries for Debian don't have. They offer a Docker container with Yubikey/HSM support, but I want to use a virtual machine for stronger isolation from other processes.
Luckily the Alpine Linux maintainers offer a package with Yubikey support compiled in right out of the box.
After it is setup a backup of my Alpine VM takes up 113 MB, compared to my previous Debian VM that use up ~2 GB.
To keep the private keys off your system you can boot up a live CD or spin up a temporary LXC container with a Linux distribution as suggested in apalrd's tutorial, and generate them using openssl. Then install yubikey-manager as described to load the yubikey slot with the keys. If you use a different system for this you avoid having unnecessary software and libraries in your production system that you don't need for the operation of teh CA and ACME server.
Then you can copy the keys and certs to a LUKS encrypted drive (or password manager etc) for long term storage, and later copy root/intermediate certificates to the virtual machine using scp, USB drive or any other method.
Since I already had keys on my Yubikey I didn't do this step now, I would probably chose the simpler option of installing the step-kms-plugin package in Alpine and let step-cli create the key directly on the Yubikey.
See smallstep's yubikey page
Apalrd's tutorial suggest using bare metal but I chose to create a virtual machine on Proxmox.
Create a virtual machine using the latest Alpine-virtISO-image, I used 1 core and 256MB RAM.
Make sure you pass through the USB device to your VM in the Hardware tab in Proxmox.
Also enable QEMU Guest Agent in teh Options tab, and check Start at boot.
Set up a DNS name in your router so the VM is reachable by DNS name instead of IP.
Log into your VM and run the setup-alpine script.
After completed, shutdown the server.
Remove the CD drive, and set hdd as only boot option in the Options tab.
Enable the community repo by uncomment the line in /etc/apk/repositories using a text editor.
Update repos and install the required packages.
apk add -U step-certificates ccid pcsc-lite qemu-guest-agentqemu-guest-agent is a helper for QEMU virtual machines to be able to start and stop them from proxmox.
Here the ccid and pcsc-lite packages enable communication with the USB smart card (Yubikey).
Then run the step ca init command described in apalrd's blog post.
step ca init --name="<your ca name>" --dns="<VM's DNS name>" --address=":443" --provisioner="<example-name>" --deployment-type standaloneThis create new certs which you can delete immediatley.
Choose a password for the provisioner and save it in your password manager.
You will need this password if you want to generate certs (for example to use mTLS) directly on the host (not using ACME).
Delete the contents of the /etc/step-ca/certs and /etc/step-ca/certs
Copy the certs from your temporary system into this directory using scp or by USB stick/whatever method.
SCP needs SSH server that you can deactivate later if you want.
If you want SSH enabled then please follow best practices and enable key based authentication with password protected keys.
Note:
If you use the package step-kms-plugin to create your PKI, then create a password file using openssl or your password manager:
openssl rand -base64 64 > /etc/step-ca/password.txtI didn't do that because I created the PKI using OpenSSL on a different system as in apalrd's tutorial, so I commented out the lines in the OpenRC service file.
The service file is /etc/init.d/step-ca
In this case of not using step_kms_plugin comment out/remove the pre-start check regarding the variable password_file.
In hindsight, It would probably be easier to use the "step kms create" command and create the PKI directly on the Yubikey, but that's for a different day.
Add the service files for pcscd, step-ca and qemu-guest-agent to runlevel default for both to start at boot:
rc-update add step-ca defaultrc-update add pcscd defaultrc-update add qemu-guest-agent defaultAdd the STEPPATH environment variable to /etc/profile
sed -i '1i export STEPPATH=/etc/step-ca' /etc/profileAdd an ACME provisioner:
step ca provisioner add acme --type ACME --admin-name <your-name>Reboot the VM and check so that everything works and the processes started successfully and that you can reach https://<your-dns-name>/roots.pem
Now you can add the ACME account to Proxmox.
Go to Datacenter/ACME and create ana ccount with the following URL:
https://<your-DNS-name>/acme/acme/directoryIf you need to renew the certs run:
pvenode acme cert renewPlease comment and see if you can follow through.
Last edited: