Could it be possible to manage and use nebula CA in a yubikey or canokey?

[onlookor]

As title.
May I export my nebula CA key, save it in a yubikey or canokey's PIV slot, and then sign nebula host certs with the hardware?

[johnmaguire]

Hi @onlookor - thanks for asking. PR #1153 recently merged which added support for Yubikeys storing Nebula private keys. The original PR supported private keys for hosts but it looks like @numinit added support for CAs as well.

I have only tested the host key portion, and there are instructions for that in the discussion thread of the PR. From those instructions and the code, you may be able to piece together how to get this working for CAs. Please share some instructions if you do! Alternatively @numinit might be able to provide some guidance.

A couple caveats:

• PKCS11 support is still considered experimental
• The latest released version of Nebula (v1.9.3) does not include support for PKCS11
• PKCS11 support requires enabling CGO, which we disable in builds by default. This means you will need to build Nebula from source in order to use PKCS11 today. If you clone the repo, the Make command for a PKCS11 build is make bin-pkcs11.

[numinit]

The answer is an emphatic yes :-)

Example is in the tests for nixpkcs, starting here:

https://github.com/numinit/nixpkcs/blob/master/nixos/tests/nebula.nix#L239

      # Charlie is the root of trust.
      charlie.succeed('nebula-cert ca -curve P256 -name charlie -ips 10.32.0.0/16 -pkcs11 "$(</etc/nebula/charlie.key)" -out-crt /etc/nebula/charlie.crt')

      # Sign Alice and Bob's certs.
      for idx, machine in enumerate((alice, bob)):
        machine.succeed(
          'nebula-cert keygen -curve P256 -pkcs11 "$(</etc/nebula/{0}.key)" -out-pub /etc/nebula/{0}.pub'.format(machine.name),
          'scp ${sshOpts} /etc/nebula/{0}.pub [email protected]:/etc/nebula/{0}.pub'.format(machine.name)
        )
        charlie.succeed(
          'nebula-cert sign -ca-crt /etc/nebula/charlie.crt -in-pub /etc/nebula/{0}.pub -out-crt /etc/nebula/{0}.crt -name {0} -pkcs11 "$(</etc/nebula/charlie.key)" -ip 10.32.0.{1}/16'.format(machine.name, idx + 1)
        )

Where do the PKCS#11 URIs come from? Well, you could generate them automatically, like nixpkcs does, or assemble them manually.

pkcs11:id=%00;object=alice;slot-id=2;token=NSS%20Certificate%20DB;type=private?module-path=%2Fnix%2Fstore%2Fmzhfvaiq5nag315nar4hf5fs62dpibss-nss-3.104%2Flib%2Flibsoftokn3.so&pin-source=file%3A%2Fetc%2Fuser.pin is one example. Here's a nix function that can make one.