Skip to content

A Setup for creating a Public Key Infrastructure backed by a YubiHSM2

Notifications You must be signed in to change notification settings

joekir/YUBIHSM_mTLS_PKI

Repository files navigation

Creating a mTLS PKI backed by a YubicoHSM

From my experience it's a popular security requirement to stipulate backend traffic use mutual-TLS (doesn't actually exist as a concept, it's just TLS with a client certificate..) except that usually devolves to self-signed certs, hence doesn't quite have the revocation benefits of a real PKI.

It's also a slightly different use case from normal PKI for browsers, CRL (Certificate Revocation List) lose lots of their value and OCSP become much more useful.

For most developers a full-blown HSM is too expensive, e.g. Gemalto is $50k a year or something? Whereas a YubiHSM is a one-off purchase of ~ $700. This is much more appealing.

This follows pages 366-376 of Bulletproof TLS pretty closely. It's recommended reading.

The accompanying blog post for this repo on josephkirwin.com will have some extra info on roles in the HSM and dettail 1 or 2 shortcomings.

Design notes

  • The ROOT CA key will be created in the YubiHSM and never leave the HSM
  • The ROOT and Intermediate's OCSP responder will run on a different box(es) that will be updated only if there is an intermediate certificate breach

Setup

  1. YubiHSM
  2. Docker Setup
  3. Root CA
  4. Intermediate CA
  5. Clear those audit logs!
  6. Client Certificates

About

A Setup for creating a Public Key Infrastructure backed by a YubiHSM2

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published