PKI and HSM in a SME – 4/4 – Forwarding an HSM to remote EJBCA

Setting up your Nitrokey HSM (local and remote)

This part must be done on your local machine.
Let’s start by installing OpenSC, the OpenSmartCard middleware and libraries (Nitrokey HSM is an implementation of SmartCard-HSM).
# apt install opensc gnutls-bin

You can learn more about OpenSC and some of its tools with the following links. OpenSC installs many tools, but you’ll mainly do things with sc-hsm-tool and pkcs11-tool
sc-hsm-tool man page here: https://htmlpreview.github.io/?https://github.com/OpenSC/OpenSC/blob/master/doc/tools/tools.html#sc-hsm-tool.
pkcs11-tool man page here: https://htmlpreview.github.io/?https://github.com/OpenSC/OpenSC/blob/master/doc/tools/tools.html#pkcs11-tool.

Also, to start initializing and playing with your Nitrokey HSM, i strongly recommend this tutorial:
https://raymii.org/s/articles/Get_Started_With_The_Nitrokey_HSM.html

Setting up build tools (local and remote)

This part must be done on your remote and your local machine.
Let’s install compiling tools.
# apt install gcc make gtk-doc-tools help2man texinfo texlive-base libffi-dev


Compiling and installing libtasn1 (local and remote)

This part must be done on your remote and your local machine.
Let’s start by compiling libtasn1. It is a p11-kit dependency.
You can get the lastest version of libtasn1 here: https://www.gnu.org/software/libtasn1/
$ wget http://mirrors.ibiblio.org/gnu/ftp/gnu/libtasn1/libtasn1-4.13.tar.gz
$ tar xzvf libtasn1-4.13.tar.gz
$ cd libtasn1-4.13
$ ./configure
$ make bootstrap
$ make
$ make check
# make install


Compiling and installing p11-kit (local and remote)

This part must be done on your remote and your local machine.
Let’s compile p11-kit.
You can get the lastest version of p11-kit here: https://github.com/p11-glue/p11-kit/releases
$ wget https://github.com/p11-glue/p11-kit/releases/download/0.23.14/p11-kit-0.23.14.tar.gz
$ tar xzvf p11-kit-0.23.14.tar.gz
$ cd p11-kit-0.23.14
$ ./configure
$ make
$ make check
# make install


Clean up (local and remote)

This part must be done on your remote and your local machine.
Let’s now remove build tools, we don’t need them anymore.
# apt remove gcc make gtk-doc-tools help2man texinfo texlive-base
# apt autoremove

You can also remove the build directories and all tar.gz files.

p11-kit user systemd unit (local and remote)

This part must be done on your remote and your local machine.
For p11-kit HSM forwarding to work, we need to create a permanent folder in your /run/user/`id -u`/ called p11-kit.
This can be done quite easily with a very small user systemd unit. For the remote %user% and the local user that will run the forwarding, create a new file in ~/.config/systemd/user/p11-kit-client.service containing:

[Unit]
Description=p11-kit client

[Service]
Type=oneshot
RemainAfterExit=true
RuntimeDirectory=p11-kit
ExecStart=/bin/true

[Install]
WantedBy=default.target

Then, we need to refresh, enable and start the p11-kit-client.service.
$ systemctl --user daemon-reload
$ systemctl --user enable p11-kit-client.service
$ systemctl --user start p11-kit-client.service

You can now check everything is fine by running a ls /run/user/`id -u`/: it should show a p11-kit folder!

Configure EJBCA to use the p11-kit client library (remote)

This part must be done on your remote machine.
We must now tell EJBCA to load and use the p11-kit PKCS11 library.

On the remote server, we’ll need to edit the ~/ejbca-custom/conf/web.properties. At the end of the file, we need to put our p11-kit client PKCS11 library for EJBCA to use it.

cryptotoken.p11.lib.255.name=p11-kit client
cryptotoken.p11.lib.255.file=/usr/local/lib/pkcs11/p11-kit-client.so

It is also needed for %user% on your remote EJBCA to have the right to start and stop EJBCA using $ sudo without password. To enable this, add %user% to sudo, and edit /etc/sudoers as root to add the line at the end:

%user%  ALL=(ALL) NOPASSWD: /bin/systemctl start ejbca.service, /bin/systemctl stop ejbca.service

Careful, the whole %user% is to replace with your user name. Do not leave any % as it means something else.

Ready to forward with remote-hsm.sh? (local)

This part must be done on your local machine.

Strongly recommended: copy local user public key to remote %user% for secure (and easy) login

The script i’ve wrote runs a lot of ssh commands, for you not to have to type 10 times the password, but also as a security feature, you should allow public key SSH login to your remote. On your local machine, run $ ssh-copy-id %user%@%fqdn%. You’ll be prompted for the %user% password.

remote-hsm.sh

I’ve written a very small script that will forward the only Nitrokey plugged on a local machine. For more than one Nitrokey or any other device, you’ll need to modify the script. I do review any PR you could submit.
You can get it here: https://github.com/fladna9/remote-hsm
You just have to run $ ./remote-hsm.sh, make sure your key is plugged before running and tada!
This script will also reload EJBCA for the HSM to be visible.
Once you’ve launched the script, you should go to the Administration part of EJBCA, and look at “Crypto Token” item. You should be able to create a new reference to your device, and generate keys from it. Nitrokey comes with a LED, blinking when it is working. You’ll see it blinking as you’re generating keys! 🙂

And now what?

This is the end of this tutorial. There’s a lot for you to discover about how to use EJBCA, create Certificate Templates, etc.
You can use the EJBCA documentation here: https://www.ejbca.org/docs/EJBCA_User_Guide.html