Page MenuHomeVyOS Platform

PKI configuration
Needs testing, Requires assessmentPublicFEATURE REQUEST

Description

I think VyOS would benefit from having some form of PKI configuration included, also where the certificates and keys are written directly into the config to allow for portability (somewhat like crypto pki in cisco).

I have been experimenting and was thinking of something like:

Conf mode:

set pki ca <ca-name> certificate <cert_data>
set pki ca <ca-name> private key <key_data>
set pki ca <ca-name> private passphrase 'abcdef'
set pki ca <ca-name> private type 'rsa'

set pki certificate [name] ... <same as CA tag node>

Op mode:

generate pki ca <name> [install]  # Generates a CA certificate and private key
generate pki certificate <name> [install] # Generates a private key and certificate request
generate pki certificate <name> self-signed [install] # Generates self-signed certificate
generate pki certificate <name> sign [ca-name] [install] # Generates private key and certificate request, signs with CA at [ca-name]

The install optional setting in op-mode could either output lines to enter in conf-mode, or if appropriate could auto-install the generated certs/keys into the running-config.

The goal of this would be for use across the entire configuration. Like how set vpn rsa-keys and set service https are managing their own certificates/keys, they could instead reference to a central location.

Any thoughts?

Migration checklist:

  • EAPOL
  • HTTPS
  • IPSec RSA
  • IPSec X509
  • L2TP
  • LetsEncrypt
  • OpenConnect
  • OpenVPN
  • SSTP
  • Wireguard

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
sdev updated the task description. (Show Details)

I ver much like this idea. Certificates can then easily be migrated from device to device, and very easy be referenced in a service.

I have two more questions, how to link a server cert to the matching CA cert? And how would the LetsEncrypt service fit in this system?

When using show pki ... commands you would be able to see the relation between certificates and CAs.

Not sure yet how to factor in LetsEncrypt.

I like the design!

We need to make sure to store it in a dir that survives upgrades of course.

sdev changed the task status from Open to In progress.Jun 29 2021, 12:37 PM
sdev claimed this task.

I should soon have a PR ready for this, including an update to IPSec config to show how to port existing configs to use PKI.

I like the design!

We need to make sure to store it in a dir that survives upgrades of course.

The certificates and keys would be stored in the config file itself, making it easily portable.

sdev updated the task description. (Show Details)
sdev changed the task status from In progress to Needs testing.Jul 22 2021, 3:49 PM
sdev updated the task description. (Show Details)

Hey everyone,

I tested this feature yesterday with a OpenVPN server.
I have to say that I really like the new way of managing a PKI.

But I have a slight problem:
My PKI is using elliptic curve crypto. VyOS is not able to save the private key,
because it tries to append the wrong PEM headers/footers.

I read in the original post that a:
set pki ca <ca-name> private type 'rsa'
should be supported. I read the implementation and found no trace of it (yet).
So is somebody working on it? Is that even the way to go, or do you prefer another
interface? If nobody is working on it I would try to implement the feature this week.
(I hope that I have enough time for that.)

Have a nice day!
Cheers,
Nicolas Riebesel

I think I found my problem. I haven't known the difference between PKCS#1 and PKCS#8.
If I give the key in PKCS#8 format I can finally commit the changes without problems.

But on the way I found other odd things:

  • I found a check in conf_mode/interfaces-openvpn.py:137 that should check that the certificate used for openvpn has no password. For some reason I haven't gotten that error.
  • With the PKCS#8 key OpenVPN is not able to start anymore, because VyOS wants me to delete dh-file, but that in turn requires setting dh none in the OpenVPN config, otherwise it will error on the missing dh parameter. See: https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/options.c#L3273

So I think the documentation should be changed to reflect the fact that a PKCS#8 private key is required and that the dh parameter should be fixed.

I have created a PR for the bugs that I found above. I hope that is is acceptable to solve these within this ticket:
https://github.com/vyos/vyos-1x/pull/1014