-
Notifications
You must be signed in to change notification settings - Fork 0
/
hsm-conf.yml
845 lines (779 loc) · 26.9 KB
/
hsm-conf.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
# This is a configuration file for the 'hsm-secrets' tool.
# It is used to generate keys and certificates for YubiHSM 2 devices.
#
# Many keys are in different formats:
# - RSA is very slow on YubiHSM
# - ECC is fast but has suffered from past implementation weaknesses (including Yubico products), backdoor suspicions, etc.
# - Ed25519 is recommended whenever possible
# ---------------------
# Edit this section first to customize for your organization.
macros:
# Variables to be passed to Jinja2 templates. This config file is a Jinja2 template for itself.
jinja_vars:
"ORG_NAME": "Example"
"CRL_URL": "http://crl.example.com"
"AD_DOMAIN": "example.directory"
# Arbitrary reusable YAML snippets (to be used with `<<: *SNIPPET_NAME` syntax below)
yaml_scratchpad:
# Default X.509 subject attributes.
# Edit to match your organization's details.
- $: &X509_SUBJECT_DEFAULTS
country: US
state: Calisota
locality: Duckburg
organization: "ExampleCorp"
# Name constraints for TLS intermediate CAs.
# Edit to match your domains and IP ranges (or set to null for no constraints).
- $: &TLS_NAME_CONSTRAINTS
critical: false
permitted:
dns:
- hsm.local
- .hsm.local
- example.com
- .example.com
- "{{AD_DOMAIN}}"
- ".{{AD_DOMAIN}}"
ip:
- 10.123.0.0/16
- fd12:3456:78::/48
- 2a01:2345:6::/48
# Device list. Declare you YubiHSM 2 devices here.
- $: &HSM_DEVICES
master_device: "27600135" # Serial number of the YubiHSM 2 that is cloning source for other devices.
all_devices:
"27600135" : "yhusb://serial=27600135" # For `yubihsm-connector`: http://localhost:12345
"27600136" : "yhusb://serial=27600136"
"27600137" : "yhusb://serial=27600137"
# Password rotation tokens for the password derivation rule.
# (See the `password_derivation` section below for details.)
- $: &PASSWORD_ROTATION_TOKENS
rotation_tokens:
# List of tool-generated tokens that rotate password for a specific host (or all if name_hmac is None).
# - `name_hmac` is the HMAC of the name, so each name can be rotated independently. If missing, the rule applies to all passwords.
# - Nonce prevents current HSM operators from pre-generating rotated passwords before they leave the team.
# - Timestamp is used to order the rotations, so that displayng previous passwords (e.g. in case of a rollback) is possible.
- {name_hmac: 0x4b2d9547f720ec540a9edda5d33f3aa68719cc5891a9b08df3382229cfc90670, nonce: 0x379cb049d15b37ab, ts: 1721727172}
# User auth keys are for general use by human operators.
#
# These should be YubiKey authenticated, and used for interactive operations,
# i.e. manually calling day-to-day scripts that sign HTTPS certificates, SSH keys, etc.
#
# They aren't supposed to be able to export or create other keys, only use them.
user_keys:
- &USER_COMMON_INFO
label: user_john.doe
id: 0xE001
domains: ['tls', 'nac', 'piv', 'gpg', 'codesign', 'ssh', 'password_derivation', 'encryption']
capabilities:
- sign-ssh-certificate # For SSH certificate creation
- sign-hmac # For password derivation
- verify-hmac # For verifying message authenticity
- sign-pss # RSA signing
- sign-pkcs # (--||--, but older PKCS#1 v1.5, not recommended)
- sign-eddsa # Ed25519 signing
- sign-ecdsa # ECC signing
- derive-ecdh # ECC key exchange
- encrypt-cbc # General AES symmetric data encryption
- decrypt-cbc
- encrypt-ecb # (non-chained AES, not recommended for general use)
- decrypt-ecb
- get-pseudo-random # Generating random numbrs
- sign-attestation-certificate # Prove some other key is protected by an HSM
- exportable-under-wrap # Allow backing up of this key
- get-opaque # For getting certificates stored in the HSM
- change-authentication-key # Change this key's credentials
- delete-authentication-key # Delete this or any other auth key
- put-authentication-key # Create new auth keys (allow operators to re-create keys for each other)
- get-log-entries
- get-option
delegated_capabilities: ['same'] # ('same' = copy from `capabilities` above)
- <<: *USER_COMMON_INFO # (YAML anchor -- copy fields from the previous entry)
label: user_alice.smith
id: 0xE002
- label: user_bob.johnson
id: 0xE003
domains: ['piv'] # Bob is a PIV (smartcard) operator, so no access to other domains
delegated_capabilities: [] # Not allowed to create new user keys on HSM
capabilities:
- sign-hmac
- verify-hmac
- sign-pss
- sign-pkcs
- sign-eddsa
- sign-ecdsa
- derive-ecdh
- encrypt-cbc
- decrypt-cbc
- encrypt-ecb
- decrypt-ecb
- get-pseudo-random
- sign-attestation-certificate
- exportable-under-wrap
- get-opaque
- change-authentication-key
# --------------------------------------------
# Starting from here, all organization-specific information are templated using the macros above.
# The rest of the sections define keys, certificates and their settings.
# --------------------------------------------
general:
<<: *HSM_DEVICES
domains:
# Domain numbers (1-16) separate different types of objects in the YubiHSM 2.
# These text names are used by the hsm-secrets tool for clarity, not by the device itself.
x509: 1
tls: 2
nac: 3
piv: 4
ssh: 5
gpg: 6
codesign: 7
password_derivation: 8
encryption: 9
# Default settings for X.509 certificates.
# These are used for all generated certificates when a specific setting is not provided (i.e. is null).
x509_defaults:
validity_days: 3650
basic_constraints:
ca: true
path_len: 0 # Allow end-entity certificate signing only, by default
attribs:
<<: *X509_SUBJECT_DEFAULTS
common_name: ''
key_usage:
critical: true
usages: # Generic CA key usages
- keyCertSign
- digitalSignature
- cRLSign
extended_key_usage: {} # No EKU for CAs by default
certificate_policies:
critical: false
policies:
- policy_identifier: "2.5.29.32.0" # AnyPolicy OID
policy_qualifiers:
- type: user_notice
explicit_text: "Issued for proprietary corporate use only. Not for public trust."
# YubiHSM 2 device admin keys and settings
admin:
default_admin_password: 'password'
# Default admin key ('password') for the YubiHSM 2.
# This is used during intial setup and temporarily restored using the shared key
# during subsequent key management operations.
default_admin_key:
label: "DEFAULT AUTHKEY CHANGE THIS ASAP" # original label for the default key
id: 0x0001
domains: ['all']
capabilities: ['all']
delegated_capabilities: ['all']
# K-of-N split shared secret for super-admin access.
# This is a 128 bit password-derived key, split into
# custodian shares during setup.
#
# Sharing and recombining is done in software, not in the HSM,
# so it should be done on an air-gapped machine like the initial setup.
shared_admin_key:
label: auth_shared-admin
id: 0x0002
domains: ['all']
capabilities: ['all']
delegated_capabilities: ['all']
# Wrap key for exporting/importing keys securely between YubiHSM 2 devices.
# Used for cloning devices.
wrap_key:
label: key_wrap
id: 0x000F
algorithm: aes256-ccm-wrap
domains: ['all']
capabilities: ["wrap-data", "unwrap-data", "export-wrapped", "import-wrapped", "exportable-under-wrap"]
delegated_capabilities: ['all']
audit:
# Specify logging/audit policies for the devices.
# 'fixed' is like 'on', but cannot be turned off again except by a factory reset
forced_audit: 'on' # If on/fixed, HSM refuses further commands until log is audited when it fills up
default_command_logging: 'on' # Default for commands not listed below
command_logging: # Overrides for specific commands
reset-device: 'fixed'
put-opaque: 'fixed'
put-authentication-key: 'fixed'
put-asymmetric-key: 'fixed'
generate-asymmetric-key: 'fixed'
export-wrapped: 'fixed'
import-wrapped: 'fixed'
put-wrap-key: 'fixed'
set-option: 'fixed'
put-hmac-key: 'fixed'
delete-object: 'fixed'
generate-hmac-key: 'fixed'
generate-wrap-key: 'fixed'
put-template: 'fixed'
change-authentication-key: 'fixed'
put-symmetric-key: 'fixed'
generate-symmetric-key: 'fixed'
generate-otp-aead-key: 'fixed'
put-otp-aead-key: 'fixed'
set-log-index: 'fixed'
sign-ecdsa: 'fixed'
sign-eddsa: 'fixed'
sign-hmac: 'fixed'
sign-pkcs1: 'fixed'
sign-pss: 'fixed'
sign-ssh-certificate: 'fixed'
unwrap-data: 'fixed'
wrap-data: 'fixed'
echo: 'off'
device-info: 'off'
get-storage-info: 'off'
get-object-info: 'off'
get-option: 'off'
get-pseudo-random: 'off'
get-public-key: 'off'
blink-device: 'off'
get-log-entries: 'off' # This seems to change after fetch (firmware bug?), so don't log it to avoid digest mismatch
create-session: 'off' # Not much point, as auth session key is included in every other log entry
close-session: 'off' # (--||--)
authenticate-session: 'off' # (--||--)
session-message: 'off' # This is a low-level command, spams the log, not very useful to log
# Service keys are for automated use by services, probably less well authenticated than user keys.
# These should be strictly domain-limited, and have limited capabilities.
service_keys:
# Dedicated audit key for reviewing logs.
# The log listings form a continuous blockchain and the `get-log-entries` wipes the log.
# => Each call must be made consciously and must store the results to uphold the chain of evidence.
# This is why the user keys are not allowed to call this capability wantonly.
- label: svc_log-audit
id: 0x0008
domains: ['all']
capabilities: [
'get-log-entries',
'set-option',
'get-option',
'exportable-under-wrap',
'change-authentication-key']
delegated_capabilities: []
# For attestation. This is necessary because HSM operator user keys above are not
# members of the 'x509' domain, to disallow them from signing with root CA keys directly.
# This user can attest the keys, but not use them for anything else.
- label: svc_attestation
id: 0x0009
domains: ['all']
capabilities: ['sign-attestation-certificate', 'get-opaque', 'change-authentication-key', 'exportable-under-wrap']
delegated_capabilities: []
# Service key for NAC (Network Access Control) for
# signing 802.1X EAP-TLS certificates.
- label: svc_nac
id: 0xD010
domains: ['nac']
capabilities:
- sign-pss
- sign-pkcs
- sign-ecdsa
- derive-ecdh
- sign-eddsa
- sign-hmac
- get-pseudo-random
- exportable-under-wrap
- change-authentication-key # Could allow DoS on the key, but lesser evil than not being able to rotate it
delegated_capabilities: []
# Subsystem/domain for root CAs.
# Intermediate CAs in other subsystems are signed by these.
x509:
root_certs:
-
key:
label: key_ca-root-a1-rsa3072
id: 0x0110
domains: ['x509']
algorithm: rsa3072
capabilities:
- sign-pss # prefer this for RSA
- sign-pkcs
- exportable-under-wrap
crl_distribution_points:
- "{{CRL_URL}}/root-a1-rsa3072.crl"
x509_info: &ROOT_COMMON_CERT_INFO
validity_days: 7300 # 20 years
basic_constraints:
path_len: null # No limit for root CAs
attribs:
common_name: '{{ ORG_NAME }} Root A1 RSA3072'
signed_certs: # Certificates to create (and store in HSM) for this key
- id: 0x0111
label: cert_ca-root-a1-rsa3072
domains: ['x509', 'tls', 'nac', 'piv', 'gpg', 'codesign'] # Allow the root cert (though not the key) to be read by all services
algorithm: opaque-x509-certificate
sign_by: 0x0111 # Root CA signs its own certificate
-
key:
label: key_ca-root-a1-ed25519
id: 0x0120
domains: ['x509']
algorithm: ed25519
capabilities:
- sign-eddsa
- exportable-under-wrap
crl_distribution_points:
- "{{CRL_URL}}/root-a1-ed25519.crl"
x509_info:
<<: *ROOT_COMMON_CERT_INFO
attribs:
common_name: '{{ ORG_NAME }} Root A1 Ed25519'
signed_certs:
- id: 0x0121
label: cert_ca-root-a1-ed25519
domains: ['x509', 'tls', 'nac', 'piv', 'gpg', 'codesign']
algorithm: opaque-x509-certificate
sign_by: 0x0121
-
key:
label: key_ca-root-a1-ecp384
id: 0x0130
domains: ['x509']
algorithm: ecp384
capabilities:
- sign-ecdsa
- derive-ecdh
- exportable-under-wrap
crl_distribution_points:
- "{{CRL_URL}}/root-a1-ecp384.crl"
x509_info:
<<: *ROOT_COMMON_CERT_INFO
attribs:
common_name: '{{ ORG_NAME }} Root A1 ECP384'
signed_certs:
- id: 0x0131
label: cert_ca-root-a1-ecp384
domains: ['x509', 'tls', 'nac', 'piv', 'gpg', 'codesign']
algorithm: opaque-x509-certificate
sign_by: 0x0131
# TLS (HTTPS, TCP, ...)
tls:
default_ca_id: 0x0233
intermediate_cas:
-
key:
label: key_tls-t1-rsa3072
id: 0x0210
domains: ['tls']
algorithm: rsa3072
capabilities:
- sign-pss
- sign-pkcs
- exportable-under-wrap
crl_distribution_points:
- "{{CRL_URL}}/tls-t1-rsa3072.crl"
x509_info: &TLS_COMMON_CERT_INFO
basic_constraints:
path_len: 0 # Allow end-entity certificate signing only
name_constraints:
<<: *TLS_NAME_CONSTRAINTS
attribs:
common_name: '{{ ORG_NAME }} TLS Intermediate T1 RSA3072'
signed_certs:
- id: 0x0211
label: cert_tls-t1-rsa3072
domains: ['tls'] # Only allow TLS services to read this cert
algorithm: opaque-x509-certificate
sign_by: 0x0111 # RSA3072 Root CA
-
key:
label: key_tls-t1-ed25519
id: 0x0220
domains: ['tls']
algorithm: ed25519
capabilities:
- sign-eddsa
- exportable-under-wrap
crl_distribution_points:
- "{{CRL_URL}}/tls-t1-ed25519.crl"
x509_info:
<<: *TLS_COMMON_CERT_INFO
attribs:
common_name: '{{ ORG_NAME }} TLS Intermediate T1 Ed25519'
signed_certs: # Cross-sign with legacy certs for compatibility
- id: 0x0221
label: cert_tls-t1-ed25519_rsa3072-root
domains: ['tls']
algorithm: opaque-x509-certificate
sign_by: 0x0111 # RSA3072 Root CA
- id: 0x0222
label: cert_tls-t1-ed25519_ed25519-root
domains: ['tls']
algorithm: opaque-x509-certificate
sign_by: 0x0121 # Ed25519 Root CA
- id: 0x0223
label: cert_tls-t1-ed25519_ecp384-root
domains: ['tls']
algorithm: opaque-x509-certificate
sign_by: 0x0131 # ECP384 Root CA
-
key:
label: key_tls-t1-ecp384
id: 0x0230
domains: ['tls']
algorithm: ecp384
capabilities:
- sign-ecdsa
- derive-ecdh
- exportable-under-wrap
crl_distribution_points:
- "{{CRL_URL}}/tls-t1-ecp384.crl"
x509_info:
<<: *TLS_COMMON_CERT_INFO
attribs:
common_name: '{{ ORG_NAME }} TLS Intermediate T1 ECP384'
signed_certs:
- id: 0x0231
label: cert_tls-t1-ecp384_rsa3072-root
domains: ['tls']
algorithm: opaque-x509-certificate
sign_by: 0x0111 # RSA Root CA
- id: 0x0233
label: cert_tls-t1-ecp384_ecp384-root
domains: ['tls']
algorithm: opaque-x509-certificate
sign_by: 0x0131 # ECP384 Root CA
# Unconstrained TLS intermediate for (hopefully rare) cases where name
# constraints are not practical or possible.
# A partner might not to trust this CA, but it could be used for internal services.
-
key:
label: key_tls-tu1-rsa3072
id: 0x021A
domains: ['tls']
algorithm: rsa3072
capabilities:
- sign-pss
- sign-pkcs
- exportable-under-wrap
crl_distribution_points:
- "{{CRL_URL}}/tls-tu1-rsa3072.crl"
x509_info:
<<: *TLS_COMMON_CERT_INFO
name_constraints: {} # Remove name constraints
attribs:
common_name: '{{ ORG_NAME }} TLS Unconstrained TU1 RSA3072'
signed_certs:
- id: 0x021B
label: cert_tls-tu1-rsa3072
domains: ['tls']
algorithm: opaque-x509-certificate
sign_by: 0x0111
# NAC (Network Access Control) intermediate keys for 802.1X EAP-TLS.
# NO COMMANDS FOR THIS SECTION IMPLEMENTED YET -- KEYS ARE GENERATED FOR FUTURE USE
nac:
intermediate_cas:
-
key:
label: key_nac-n1-rsa2048 # NAC is not a very high-security use case, so 2048 for max compatibility
id: 0x0310
domains: ['nac']
algorithm: rsa2048
capabilities:
- sign-pss # preferred
- sign-pkcs
- exportable-under-wrap
crl_distribution_points:
- "{{CRL_URL}}/nac-n1-rsa2048.crl"
x509_info: &NAC_COMMON_CERT_INFO
basic_constraints:
path_len: 1 # NAC servers may need their own CAs, so allow one level of intermediates
attribs:
common_name: '{{ ORG_NAME }} NAC Intermediate N1 RSA2048'
signed_certs:
- id: 0x0311
label: cert_nac-n1-rsa2048
domains: ['nac']
algorithm: opaque-x509-certificate
sign_by: 0x0111
-
key:
label: key_nac-n1-ecp256
id: 0x0330
domains: ['nac']
algorithm: ecp256
capabilities:
- sign-ecdsa
- derive-ecdh
- exportable-under-wrap
crl_distribution_points:
- "{{CRL_URL}}/nac-n1-ecp256.crl"
x509_info:
<<: *NAC_COMMON_CERT_INFO
attribs:
common_name: '{{ ORG_NAME }} NAC Intermediate N1 ECP256'
signed_certs:
- id: 0x0333
label: cert_nac-n1-ecp256
domains: ['nac']
algorithm: opaque-x509-certificate
sign_by: 0x0131
# PIV (Personal Identity Verification) keys for smartcard login
piv:
default_ca_id: 0x0431
default_piv_domain: '@{{AD_DOMAIN}}' # AD UPN suffix for Windows, rfc822 suffix for Linux/macOS
intermediate_cas:
-
key:
label: key_piv-p1-rsa2048
id: 0x0410
domains: ['piv']
algorithm: rsa2048 # 2048 is the maximum for RSA in PIV. Use ECC if compatibility allows.
capabilities:
- sign-pss
- sign-pkcs
- exportable-under-wrap
crl_distribution_points:
- "{{CRL_URL}}/piv-p1-rsa2048.crl"
x509_info: &PIV_COMMON_CERT_INFO
attribs:
common_name: '{{ ORG_NAME }} PIV Intermediate P1 RSA2048'
validity_days: 3650
key_usage:
critical: true
usages:
- digitalSignature
- keyAgreement
- keyCertSign
- cRLSign
signed_certs:
- id: 0x0411
label: cert_piv-p1-rsa2048
domains: ['piv']
algorithm: opaque-x509-certificate
sign_by: 0x0111
-
key:
label: key_piv-p1-ecp384
id: 0x0430
domains: ['piv']
algorithm: ecp384
capabilities:
- sign-ecdsa
- derive-ecdh
- exportable-under-wrap
crl_distribution_points:
- "{{CRL_URL}}/piv-p1-ecp384.crl"
x509_info:
<<: *PIV_COMMON_CERT_INFO
attribs:
common_name: '{{ ORG_NAME }} PIV Intermediate P1 ECP384'
signed_certs:
- id: 0x0431
label: cert_piv-p1-ecp384
domains: ['piv']
algorithm: opaque-x509-certificate
sign_by: 0x0131
# Domain Controller Kerberos PKINIT KDC certificate template
dc_cert_templates:
"default":
validity_days: 1825 # 5 years
basic_constraints:
ca: false # End-entity certificate
path_len: null
key_usage:
critical: true
usages:
- digitalSignature
- keyEncipherment
- keyAgreement
- nonRepudiation
extended_key_usage:
usages:
- clientAuth
- serverAuth
- smartcardLogon
- kerberosPKINITKDC
# User certificate templates for PIV cards
user_cert_templates:
"default":
validity_days: 1095 # 3 years. This is long, so use Strong Certificate Mapping (KB5014754) for easy revocation.
attribs:
country: ''
locality: ''
organization: '{{ ORG_NAME }}'
common_name: ''
basic_constraints:
ca: false
path_len: null
key_usage:
critical: true
usages:
- nonRepudiation
- digitalSignature
- keyEncipherment # For RSA key exchange
- keyAgreement # For ECDH, required for offline logon with ECC certificates
extended_key_usage:
usages:
- clientAuth
- smartcardLogon
# Certificate-based SSH authentication keys.
# OpenSSH certificates are in proprietary format, so these are not signed by the X.509 root CAs.
ssh:
default_user_ca: 0x0520
default_host_ca: 0x0520 # You can separate these, but given the HSM, having to change one but not the other is unlikely
root_ca_keys:
- label: key_ssh-root-ca-rsa3072
id: 0x0510
domains: ['ssh']
algorithm: rsa3072
capabilities:
- sign-ssh-certificate
- sign-pss
- sign-pkcs
- exportable-under-wrap
- label: key_ssh-root-ca-ed25519
id: 0x0520
domains: ['ssh']
algorithm: ed25519
capabilities:
- sign-ssh-certificate
- sign-eddsa
- exportable-under-wrap
- label: key_ssh-root-ca-ecp384
id: 0x0530
domains: ['ssh']
algorithm: ecp384
capabilities:
- sign-ssh-certificate
- sign-ecdsa
- derive-ecdh
- exportable-under-wrap
# GPG/OpenPGP keys
# NO COMMANDS FOR THIS SECTION IMPLEMENTED YET -- KEYS ARE GENERATED FOR FUTURE USE
#
# Note: PKCS#11 support in GPG is not very good atm
#
# RSA keys can be used for both SCA (Sign, Certify, Authenticate) and E (Encrypt) operations in GnuPG, but
# it is recommended to use separate keys for these purposes, so make two keys here. Allow both sign & crypt
# operations on both keys though, to avoid future problems.
#
# Ed25519 keys are only for SCA operations. There's an x25519 (aka cv25519) key type for E operations in GnuPG,
# but the operation is apparently not supported by YubiHSM 2.
gpg:
keys:
- label: key_gpg-g1-rsa3072-sca
id: 0x0610
domains: ['gpg']
algorithm: rsa3072
capabilities:
- sign-pss # preferred
- sign-pkcs
- decrypt-oaep
- decrypt-pkcs
- exportable-under-wrap
- label: key_gpg-g1-rsa3072-e
id: 0x0611
domains: ['gpg']
algorithm: rsa3072
capabilities:
- sign-pss # preferred
- sign-pkcs
- decrypt-oaep # preferred
- decrypt-pkcs
- exportable-under-wrap
- label: key_gpg-g1-ed25519
id: 0x0620
domains: ['gpg']
algorithm: ed25519
capabilities:
- sign-eddsa
- exportable-under-wrap
- label: key_gpg-g1-ecp384
id: 0x0630
domains: ['gpg']
algorithm: ecp384
capabilities:
- sign-ecdsa
- derive-ecdh
- exportable-under-wrap
# Code signing keys for signing software, firmware, etc.
codesign:
default_cert_id: 0x0711
certs:
-
key:
label: key_codesign-cs1-rsa3072
id: 0x0710
domains: ['codesign']
algorithm: rsa3072
capabilities:
- sign-pss
- sign-pkcs
- exportable-under-wrap
crl_distribution_points:
- "{{CRL_URL}}/codesign-cs1-rsa3072.crl"
x509_info: &CODESIGN_COMMON_CERT_INFO
attribs:
common_name: '{{ ORG_NAME }} Code Signing CS1 RSA3072'
key_usage:
usages:
- digitalSignature
- keyCertSign
- cRLSign
extended_key_usage:
usages:
- codeSigning
- timeStamping
signed_certs:
- id: 0x0711
label: cert_codesign-cs1-rsa3072
domains: ['codesign']
algorithm: opaque-x509-certificate
sign_by: 0x0111
-
key:
label: key_codesign-cs1-ecp384
id: 0x0720
domains: ['codesign']
algorithm: ecp384
capabilities:
- sign-ecdsa
- derive-ecdh
- exportable-under-wrap
crl_distribution_points:
- "{{CRL_URL}}/codesign-cs1-ecp384.crl"
x509_info:
<<: *CODESIGN_COMMON_CERT_INFO
attribs:
common_name: '{{ ORG_NAME }} Code Signing CS1 ECP384'
signed_certs:
- id: 0x0733
label: cert_codesign-cs1-ecp384
domains: ['codesign']
algorithm: opaque-x509-certificate
sign_by: 0x0131
# For deriving unique passwords from usernames, hostnames, etc.
password_derivation:
keys:
- label: key_pw-derivation-1
id: 0x0810
domains: ['password_derivation']
algorithm: hmac-sha256 # 60x faster than hmac-sha512 on YubiHSM 2
capabilities:
- sign-hmac
- verify-hmac
- exportable-under-wrap
default_rule: host-root-passwords
rules:
- id: host-root-passwords
<<: *PASSWORD_ROTATION_TOKENS
key: 0x0810
format: bip39
separator: '.' # Separate password parts with a '.' instead of '-' (or space) to avoid keyboard layout issues
bits: 64 # 64 should be fine for yescrypt / bcrypt etc, Use 128 if the password is hashed with a weak scheme like NTLM
# For generic encryption of secrets, passwords, etc.
# Limited and infrequent use, YubiHSM is not very fast
# NO COMMANDS FOR THIS SECTION IMPLEMENTED YET -- KEYS ARE GENERATED FOR FUTURE USE
encryption:
keys:
- label: key_enc-1
id: 0x0910
domains: ['encryption']
algorithm: aes256
capabilities:
- encrypt-cbc # prefer CBC over ECB unless you have a very good reason
- decrypt-cbc
- encrypt-ecb
- decrypt-ecb
- exportable-under-wrap