A while ago, I had the idea to use our step-ca root authority as a Root CA to create a signed intermediate CA for FOG Project-related certificates.
I tested this today by manually creating an intermediate CA on my step-ca instance and replacing the default FOG certificates. After doing so, I reran the installer, and it is working perfectly. I now have SSL certificates signed by my own intermediate CA. The iPXE binaries are also signed (though not yet fully tested).
Note on Secure Boot: In theory, it should be possible to use this CA chain to facilitate Secure Boot. The chain would simply need to be enrolled in the UEFI using mokutil or a similar tool.
Proposed Implementation Workflow:
The installer could be updated with the following logic:
- Prompt the user: "Do you have an existing StepCA Root Authority or external CA?"
- If No: Proceed with the current default installer behavior.
- If Yes: Prompt the user to provide the file paths for the certificates created via the step CLI. (I am looking into partially automating this step and will provide updates after further testing).
- Validation: The installer should check if a CA already exists (which I believe is already part of the current installation logic).
Proof of Concept:
I used the following commands on my step-ca server to generate the FOG CA certificate:
step certificate create "FOG Project Intermediate CA" fog-intermediate.csr fog-intermediate.key --csr --no-password --insecure
step certificate sign --profile intermediate-ca fog-intermediate.csr <PATH-TO-STEP-CA-AUTHORITY>/root_ca.crt <PATH-TO-STEP-CA-AUTHORITY>/root_ca_key
Security Considerations:
One potential concern is that the intermediate CA on the FOG server is not password-protected. However, if the FOG server is compromised, an attacker could generate signed certificates—this is currently the case with the existing self-signed implementation, so this proposal does not appear to introduce new vulnerabilities.
Is there interest in integrating this into the main installer?
Best regards,
A while ago, I had the idea to use our step-ca root authority as a Root CA to create a signed intermediate CA for FOG Project-related certificates.
I tested this today by manually creating an intermediate CA on my step-ca instance and replacing the default FOG certificates. After doing so, I reran the installer, and it is working perfectly. I now have SSL certificates signed by my own intermediate CA. The iPXE binaries are also signed (though not yet fully tested).
Note on Secure Boot: In theory, it should be possible to use this CA chain to facilitate Secure Boot. The chain would simply need to be enrolled in the UEFI using mokutil or a similar tool.
Proposed Implementation Workflow:
The installer could be updated with the following logic:
Proof of Concept:
I used the following commands on my step-ca server to generate the FOG CA certificate:
Security Considerations:
One potential concern is that the intermediate CA on the FOG server is not password-protected. However, if the FOG server is compromised, an attacker could generate signed certificates—this is currently the case with the existing self-signed implementation, so this proposal does not appear to introduce new vulnerabilities.
Is there interest in integrating this into the main installer?
Best regards,