{"id":22363259,"url":"https://github.com/shift/step-ca-cgo","last_synced_at":"2025-10-19T04:26:36.911Z","repository":{"id":63488724,"uuid":"568234320","full_name":"shift/step-ca-cgo","owner":"shift","description":"step-ca container with cgo enabled","archived":false,"fork":false,"pushed_at":"2025-04-09T02:57:43.000Z","size":80,"stargazers_count":7,"open_issues_count":13,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-12T21:09:27.275Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shift.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-11-19T21:41:51.000Z","updated_at":"2023-03-05T06:26:20.000Z","dependencies_parsed_at":"2023-12-22T16:50:43.609Z","dependency_job_id":"3ff32719-50dd-4d66-a8a7-60b3d267eb02","html_url":"https://github.com/shift/step-ca-cgo","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shift%2Fstep-ca-cgo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shift%2Fstep-ca-cgo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shift%2Fstep-ca-cgo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shift%2Fstep-ca-cgo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shift","download_url":"https://codeload.github.com/shift/step-ca-cgo/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248631676,"owners_count":21136562,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-04T17:14:15.549Z","updated_at":"2025-10-19T04:26:31.861Z","avatar_url":"https://github.com/shift.png","language":"Dockerfile","readme":"# Introduction\n\nThis project aims to allow for easily provisioning a certificate authority\non a Raspberry Pi 4 with keys stores on a permanently attached YubiKey.\n\n## Upstream Components\n\nThis makes use of the following upstream projects:\n\n * [Step-CA](https://github.com/smallstep/certificates).\n * [Raspberry Pi 4 UEFI Firmware (forked to enable 8GiB RAM+DeviceTree)](https://github.com/shift/rpi4-uefi/).\n * [Fedora CoreOS](https://getfedora.org/en/coreos).\n * [Podman](https://podman.io/).\n\n## Prerequisites\n\n * 2x YubiKey with [PIV capabilities](https://developers.yubico.com/PIV/Introduction/Certificate_slots.html) (YubiKey NEO, or YubiKey 4/5)\n   1. Root CA pair which can be used for signing Intermediate Certificates.\n   2. Root CA certificate and Intermediate CA certificate and private key.\n * 1x Raspberry Pi 4, any RAM size should suffice.\n * SD-card or USB storage for Raspberry Pi.\n * USB storage for Root CA to be held offline in a secure location.\n * Installed [Raspberry Pi Imager (rpi-imager)](https://www.raspberrypi.com/software/).\n\n## Setup steps\n\n### Raspberry Pi 4 Bootloader\n\nFedora CoreOS is installed via UEFI so please [ensure your bootloader is up to date](https://pimylifeup.com/raspberry-pi-bootloader/#using-the-raspberry-pi-imager) before continuing.\n\n### Yubikey Setup\n\nThese steps should be done on an air gapped machine.\n\nYou will need 2 Yubikeys. One for your root certificate and key pair, and\nanother for your intermediate certificate used to issue certificates used\non end devices.\n\nThis is _HIGHLY RECOMMENDED_, please don't complain to me if you compromise\nyour root key or lose them.\n\n### Generate Root and Intermedia Certificate Authorities\n\n```bash\nmkdir /tmp/stepca\nSTEPPATH=/tmp/stepca\nstep ca init --pki\n```\nUse the generated files in the next section.\n\n### Key Slots\n\nRoot CA YubiKey\n| Slot | Key                              |\n|------|----------------------------------|\n| 9a   | Root Certificate and Key         |\n\n\nIntermedia CA YubiKey\n| Slot | Key                              |\n|------|----------------------------------|\n| 9a   | Root Certificate                 |\n| 9c   | Intermediate Certificate and Key |\n\nWith your root ca key plugged in run:\n```bash\nykman piv keys import 9a ${STEPPATH}/secrets/root_ca_key\nykman piv certificates import 9a ${STEPPATH}/certs/root_ca.crt\n```\n\nThis stores your private key and certificate on your token.\n\nWith the Yubikey which will reside in your issuing CA run the following:\n```bash\nykman piv certificates import 9a ${STEPPATH}/certs/root_ca.crt\nykman piv certificates import 9c ${STEPPATH}/certs/intermediate_ca.crt\nykman piv keys import 9c ${STEPPATH}/secrets/intermediate_ca_key\n```\n\nWhen the container starts up, it connects to the YubiKey and extracts the\nroot and intermediate certificates and writes them to disk where step-ca\nreferences them.\n\n### Flashing\n\nVisit the [releases page](https://github.com/shift/step-ca-cgo/releases/latest) and download the latest Step-CA-FCOS-RaspberryPi4.img.xz, extract the archive and flash with Raspberry Pi Imager.\n\n**BEFORE YOU ATTEMPT BOOT READ THE CONFIGURATION SECTION**\n\n### Configuration\n\n#### ca.json\n\nThis file is located on the boot(,or second) partition of the storage device. \nThis is the default ca.json for running via a YubiKey.\n\nThe most important parts of the configuration are the kms section, and\nkey being set too `yubikey:slot-id=9c`.\n\nThe root and intermediate certificates are extracted from the YubiKey on first\nboot.\n\n#### YubiKey PIN\n\nPlease update the `ca.json` file on the partition labelled `boot` (second\npartition) and update the kms.pin to match that of your YubiKey. The default\nshipped PIN of `123456` is configured by default.\n\n#### Wireless / WLAN / Wi-Fi\n\nPlease mount the partition labelled `boot` (second partition).\nCopy wifi.txt.example to wifi.txt and update the contents to match your access\npoint credentials.\n\n**PLEASE NOTE** Fedora CoreOS doesn't ship with the firmware and software\nrequired to make the wireless chip in the Raspberry Pi 4 work out of the box.\nWhen this file is detected, on first boot it will install the required firmware\nand the additional wifi package for NetworkManager. This can take around an\nhour if your connection is slow.\n\n## Prior Art\n\n * [Build a Tiny Certificate Authority For Your Homelab](https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/).\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshift%2Fstep-ca-cgo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshift%2Fstep-ca-cgo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshift%2Fstep-ca-cgo/lists"}