FalseBlue PKI

Important

Before you complete revocation operations in the PKI, regenerate and export the CRLs and upload them to the FalseBlue website. This ensures that the latest revocation information is available.

Overview

Certificate Authorities

Root CA

(key is located in bitwarden as FalseBlue Root CA Key)

Fingerprint: 66b8732f7a4630403455da2ef05fef269ae63e390c6b5f50f82ecdf872585fe6

# Bootstrap CA
step ca bootstrap --ca-url https://ca.falseblue.com --fingerprint 66b8732f7a4630403455da2ef05fef269ae63e390c6b5f50f82ecdf872585fe6

# Get root cert
curl -LO https://ca.falseblue.com/roots

Yubikey Nano 5c CA

Yubikey NFC 5c CA

CRLs

• Root CA CRL
• Yubikey Nano 5c CA CRL
• Yubikey NFC 5c CA CRL

XCA PKI

All tracking is now done using the XCA PKI management tool. The XCA database is stored in the pki/db directory and encrypted using sops as well as password protected.

Opening the XCA Database

sops -d pki/db/FalseBlue-CA.xdb.sops > pki/db/Falseblue-CA.xdb
nix run nixpkgs#xca pki/db/Falseblue-CA.xdb

Important

You will need to have the yubikey plugged in to access the private keys.

You will also need to search for the opensc library in the XCA settings and set it to the correct path for the system.

The correct path is usually /run/current-system/sw/lib/opensc-pkcs11.so for NixOS.

Renewing a Certificate Manually using XCA

This is documented because its the most comprehensive example of how to use the XCA tool to renew a certificate.

1. Open the XCA database.
2. Find the Synology DSM certificate in the “Certificates” tab and find its corresponding CSR in the “CSRs” tab.
3. Right click the CSR and select “Sign”.
4. Set the “sign with” to the nano5c CA.

When complete, you will need to export the following:

• The signed cert
• The private key for the cert
• The chained CA cert (nano5c CA and root CA)

Updating the CRL

1. Click on the “Certicates” tab.
2. Right click the CA that needs updated and select “Update CRL”.
3. Go to the “CRLs” tab and right click the CRL that was just created.
4. Select “Export” and save the CRL in the pki/authorities directory.
5. CRLs and CA certs must be uploaded to https://falseblue.com.
6. Just copy the from the pki/authorities directory to the static directory in the project.

FalseBlue Root CA Public Certificate

Public Key

-----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIUIOEtFYWd5EogN4Lto5YMSvSpgdwwDQYJKoZIhvcNAQEL
BQAwGDEWMBQGA1UEAwwNZmFsc2VibHVlLmNvbTAeFw0yMjA0MTMxNTIzNThaFw0z
MjA0MTAxNTIzNThaMBgxFjAUBgNVBAMMDWZhbHNlYmx1ZS5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7Lriwfw0Rn542MsD6UNMWrfhvCDQ9akaA
6wcF2BOygZxKxbEjWbhjBAryh23e0IJC/aRHmoLg8zZjxCRezwOcKMgRmiVBncAw
NyegS5rnd5JcSO0fYfT80vg7O1aJquICtOJ1fKypQjbdlqJmxDEdo02qwCLsM+y3
ExBCe23KTK8llkRW9LdjwCpOAfZnKZnoULYWmwCJ2izgOfoPjYRhpUcF7OHxoDag
R+TXy2BsSp4MCiFKc4f/J0Rd1aA+D1GMA53NN3qBkh+FJ1qAZgoc8FOG9d0AUptS
Jd0JwhqDJCQJVwi4GL7Paejgcj+7OfYGxFRtkhQ5bWnH8NsYsLWRAgMBAAGjgZIw
gY8wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUyGQ+Hi6OCgNDxuf7mOvHyvPsJD8w
UwYDVR0jBEwwSoAUyGQ+Hi6OCgNDxuf7mOvHyvPsJD+hHKQaMBgxFjAUBgNVBAMM
DWZhbHNlYmx1ZS5jb22CFCDhLRWFneRKIDeC7aOWDEr0qYHcMAsGA1UdDwQEAwIB
BjANBgkqhkiG9w0BAQsFAAOCAQEAYBSxEnBqFpLY5J5gDXVK/G2X8pexA+8Z8dZ4
Plc2aVW6zCClhYLyCKTKCxFnpwbCPqCbq18/IMjUtEGNDLWY79CfYJBqM8T0/mz9
PIt6pEPE6BdBv2bsyGP68qFK6LRvunPDt9jFoxpEmFNT4Rl/+hWDBDdZrb3JuI1J
7sQZQ+b4j/93Kw7AgJdMQM7jec35J0byE/3i6Y7EwHXATKnhXoMUPI++oqCnH/vU
BrMzWC22IyHtdVIL5YRlyaEBfwuwlYO1/ZbXRaiuO9sY5jLqSEmM3IrC80u+qLP4
wOc99x4Ui7hmme27HZFlUrLqCkXRz7CEBcPg83lN37lGeaw0TQ==
-----END CERTIFICATE-----

Key Tree

Note

Most critical keys shown

mermaid flowchart TD Root["FalseBlue Root CA"] --> XCA["FalseBlue Intermediate Certificate"] Root --> nano5c["Yubikey Nano 5C CA"] Root --> radius["Voile Radius Server TLS"] nano5c --> nfc5c["Yubikey NFC 5C CA"] Root --> step["Step-CA running on Ereshkigal"]

Step CA

Info

-----BEGIN CERTIFICATE-----
MIICdjCCAV6gAwIBAgIRAKmXBxs7UQtUmRwzk8GUIHkwDQYJKoZIhvcNAQELBQAw
GDEWMBQGA1UEAwwNZmFsc2VibHVlLmNvbTAeFw0yNTA4MTIxOTM4NTRaFw0zNTA4
MTAxOTM4NTRaMDgxEjAQBgNVBAoTCUZhbHNlQmx1ZTEiMCAGA1UEAxMZRmFsc2VC
bHVlIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKAq
tALqH6cdUmLRiFr2J16Ja5IJbO0Bd05n88dH80Wl0sCvVPyLI0C7ks5GHOjxZKfF
yDbJB6UWsyU9KAdCqS6jZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG
AQH/AgEAMB0GA1UdDgQWBBRzR1bjKbxc8Bf+FKcA5DRkqjxNlTAfBgNVHSMEGDAW
gBTIZD4eLo4KA0PG5/uY68fK8+wkPzANBgkqhkiG9w0BAQsFAAOCAQEAlTXkAtav
EG8uV5VGB3NPwK+nE3LUOs06fOQcrQxtnhpRvGsQmp1e9llL8WFK5xLm1sBz0/1R
g7gpjJO6CdtxwwxYmV7Yu7nQwrGqS1bhakk0rBsVADvHTf+iD5E1hmHzbnBsgtU9
xjsACITkVZV7TnZFwWwblGUqI7qdHVZy6l1wQJ3E28lC7ng8OGVtHIBOe4ZHJFIy
wdkaLCLBa8UbBfSRYoKuu/e4/uRSTJuv5LXxZjaTIoK/rPOoj2DG7h8pq0wf4pYh
TA0/sK4x89CjJZL+85E/4iSHKpp0bR7lMk6nk42SzdYyUXF/TKz8gSzkQhEztWvn
OCMDBO+pjxm6rw==
-----END CERTIFICATE-----

Documentation

Step CA is currently running as a service on ereshkigal. It is an intermediate CA signed by the root

Configuration

https://ca.falseblue.com (via cloudflare tunnel on voile)

ACME

An example of using ACME can be found in the scripts/renew_cert.sh. This is what renews the default cert on voile.