Page MenuHomeVyOS Platform

PKI configuration
Needs testing, Requires assessmentPublicFEATURE REQUEST

Description

I think VyOS would benefit from having some form of PKI configuration included, also where the certificates and keys are written directly into the config to allow for portability (somewhat like crypto pki in cisco).

I have been experimenting and was thinking of something like:

Conf mode:

set pki ca <ca-name> certificate <cert_data>
set pki ca <ca-name> private key <key_data>
set pki ca <ca-name> private passphrase 'abcdef'
set pki ca <ca-name> private type 'rsa'

set pki certificate [name] ... <same as CA tag node>

Op mode:

generate pki ca <name> [install]  # Generates a CA certificate and private key
generate pki certificate <name> [install] # Generates a private key and certificate request
generate pki certificate <name> self-signed [install] # Generates self-signed certificate
generate pki certificate <name> sign [ca-name] [install] # Generates private key and certificate request, signs with CA at [ca-name]

The install optional setting in op-mode could either output lines to enter in conf-mode, or if appropriate could auto-install the generated certs/keys into the running-config.

The goal of this would be for use across the entire configuration. Like how set vpn rsa-keys and set service https are managing their own certificates/keys, they could instead reference to a central location.

Any thoughts?

Migration checklist:

  • EAPOL
  • HTTPS
  • IPSec RSA
  • IPSec X509
  • L2TP
  • LetsEncrypt
  • OpenConnect
  • OpenVPN
  • SSTP
  • Wireguard

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Related Objects

StatusSubtypeAssignedTask
In progressFEATURE REQUESTsyncer
OpenFEATURE REQUESTNone
Needs testingFEATURE REQUESTsdev

Event Timeline

sdev updated the task description. (Show Details)

I ver much like this idea. Certificates can then easily be migrated from device to device, and very easy be referenced in a service.

I have two more questions, how to link a server cert to the matching CA cert? And how would the LetsEncrypt service fit in this system?

When using show pki ... commands you would be able to see the relation between certificates and CAs.

Not sure yet how to factor in LetsEncrypt.

I like the design!

We need to make sure to store it in a dir that survives upgrades of course.

sdev changed the task status from Open to In progress.Tue, Jun 29, 12:37 PM
sdev claimed this task.

I should soon have a PR ready for this, including an update to IPSec config to show how to port existing configs to use PKI.

I like the design!

We need to make sure to store it in a dir that survives upgrades of course.

The certificates and keys would be stored in the config file itself, making it easily portable.

sdev updated the task description. (Show Details)
sdev changed the task status from In progress to Needs testing.Thu, Jul 22, 3:49 PM
sdev updated the task description. (Show Details)