PKI

So asn2net is a member owned/operated carrier. It operates a number of services for the network participants (members). Things like DNS, IPAM, VOIP, ActiveDirectory etc.

We are now in the process of standing up a global PKI infrastructure , to ensure all of those services are as secure as possible. This post is to document our implementation research so far.

Key components:

HSM (attached to offline CA ):

  • https://shop.nitrokey.com/shop/product/nitrokey-hsm-7
  • http://random-notes-of-a-sysadmin.blogspot.be/2016/04/is-raspberry-pi-suitable-and-safe-to.html
  • http://random-notes-of-a-sysadmin.blogspot.com/2016/06/howto-setup-fips-compliant-root.html
  • https://robpol86.com/root_certificate_authority.html
  • http://serverfault.com/questions/180085/can-ms-certificate-services-be-a-subordinate-to-ca-created-with-openssl
  • https://learn.adafruit.com/biometric-security-box?view=all (to store the CA/HSM inside)
  • https://jamielinux.com/docs/openssl-certificate-authority/index.htm

As usual with free software, you need to consult a number of sources to get everything you need. The above guides do work (as confirmed in our integration/test/pre-production environment). We’ve not yet built the biometric box, so we can’t validate that. However we’ve had great success with adafruit as a vendor over at Suborbital-Systems.net , so we don’t anticipate any issues in production.

Ok , so you’ve got the root CA built, key stored in HSM. Now you need an online intermediate CA. This breaks into two systems for us:

  1. Windows 2012R2 server running Certificate Services configured for Suite B , with an attached Nitrokey HSM to hold the private keys. This is secured to an incredibly high level (digitally and physically). We will do separate posts on those aspects, as well as publish audit reports etc. Configured to best practices per:
    • http://security.stackexchange.com/questions/15532/checklist-on-building-an-offline-root-intermediate-certificate-authority-ca
    • https://blogs.technet.microsoft.com/nextnextfinish/2015/03/16/suite-b-public-key-infrastructure-part-i/
    • https://blogs.technet.microsoft.com/nextnextfinish/2015/06/05/suite-b-public-key-infrastructure-part-iii
  2. Cloudflare PKI (this is what we would expose to network participants) and the Windows box will be fire walled to  only accept CA requests from these systems. We need a very large number of CA (2 for each line of business, various sets to implement requirements of Commercial Solutions for Classified). Love or hate the NSA, the information assurance directorate puts out some excellent security guides (especially when combined with DISA STIG http://iase.disa.mil/stigs/Pages/index.aspx) . These are secured as best we can. We’ll do a separate post and release on github/docker hub this implementation. We’ve had great success in our ITG environment and look forward to moving to production.

Our PKI infrastructure (and good chunks of asn2net infrastructure in general) have been under construction since May. We have achieved very high levels of confidence in the Confidentiality/Integrity/Accessibility triad over the last several months.