Skip to content

Latest commit

 

History

History
25 lines (16 loc) · 1.61 KB

README.md

File metadata and controls

25 lines (16 loc) · 1.61 KB

Creating a mTLS PKI backed by a YubicoHSM

From my experience it's a popular security requirement to stipulate backend traffic use mutual-TLS (doesn't actually exist as a concept, it's just TLS with a client certificate..) except that usually devolves to self-signed certs, hence doesn't quite have the revocation benefits of a real PKI.

It's also a slightly different use case from normal PKI for browsers, CRL (Certificate Revocation List) lose lots of their value and OCSP become much more useful.

For most developers a full-blown HSM is too expensive, e.g. Gemalto is $50k a year or something? Whereas a YubiHSM is a one-off purchase of ~ $700. This is much more appealing.

This follows pages 366-376 of Bulletproof TLS pretty closely. It's recommended reading.

The accompanying blog post for this repo on josephkirwin.com will have some extra info on roles in the HSM and dettail 1 or 2 shortcomings.

Design notes

  • The ROOT CA key will be created in the YubiHSM and never leave the HSM
  • The ROOT and Intermediate's OCSP responder will run on a different box(es) that will be updated only if there is an intermediate certificate breach

Setup

  1. YubiHSM
  2. Docker Setup
  3. Root CA
  4. Intermediate CA
  5. Clear those audit logs!
  6. Client Certificates