github.com/letsencrypt/boulder@v0.20251208.0/cmd/ceremony/README.md (about) 1 # `ceremony` 2 3 ```sh 4 ceremony --config path/to/config.yml 5 ``` 6 7 `ceremony` is a tool designed for Certificate Authority specific key and certificate ceremonies. The main design principle is that unlike most ceremony tooling there is a single user input, a configuration file, which is required to complete a root, intermediate, or key ceremony. The goal is to make ceremonies as simple as possible and allow for simple verification of a single file, instead of verification of a large number of independent commands. 8 9 `ceremony` has these modes: 10 11 - `root`: generates a signing key on HSM and creates a self-signed root certificate that uses the generated key, outputting a PEM public key, and a PEM certificate. After generating such a root for public trust purposes, it should be submitted to [as many root programs as is possible/practical](https://github.com/daknob/root-programs). 12 - `intermediate`: creates a intermediate certificate and signs it using a signing key already on a HSM, outputting a PEM certificate 13 - `cross-csr`: creates a CSR for signing by a third party, outputting a PEM CSR. 14 - `cross-certificate`: issues a certificate for one root, signed by another root. This is distinct from an intermediate because there is no path length constraint and there are no EKUs. 15 - `key`: generates a signing key on HSM, outputting a PEM public key 16 - `crl`: creates a CRL with the IDP extension and `onlyContainsCACerts = true` from the provided profile and signs it using a signing key already on a HSM, outputting a PEM CRL 17 18 These modes are set in the `ceremony-type` field of the configuration file. 19 20 This tool always generates key pairs such that the public and private key are both stored on the device with the same label. Ceremony types that use a key on a device ask for a "signing key label". During setup this label is used to find the public key of a keypair. Once the public key is loaded, the private key is looked up by CKA\_ID. 21 22 ## Configuration format 23 24 `ceremony` uses YAML for its configuration file, mainly as it allows for commenting. Each ceremony type has a different set of configuration fields. 25 26 ### Root ceremony 27 28 - `ceremony-type`: string describing the ceremony type, `root`. 29 - `pkcs11`: object containing PKCS#11 related fields. 30 31 | Field | Description | 32 | --- | --- | 33 | `module` | Path to the PKCS#11 module to use to communicate with a HSM. | 34 | `pin` | Specifies the login PIN, should only be provided if the HSM device requires one to interact with the slot. | 35 | `store-key-in-slot` | Specifies which HSM object slot the generated signing key should be stored in. | 36 | `store-key-with-label` | Specifies the HSM object label for the generated signing key. Both public and private key objects are stored with this label. | 37 38 - `key`: object containing key generation related fields. 39 40 | Field | Description | 41 | --- | --- | 42 | `type` | Specifies the type of key to be generated, either `rsa` or `ecdsa`. If `rsa` the generated key will have an exponent of 65537 and a modulus length specified by `rsa-mod-length`. If `ecdsa` the curve is specified by `ecdsa-curve`. | 43 | `ecdsa-curve` | Specifies the ECDSA curve to use when generating key, either `P-256`, `P-384`, or `P-521`. | 44 | `rsa-mod-length` | Specifies the length of the RSA modulus, either `2048` or `4096`. | 45 46 - `outputs`: object containing paths to write outputs. 47 48 | Field | Description | 49 | --- | --- | 50 | `public-key-path` | Path to store generated PEM public key. | 51 | `certificate-path` | Path to store signed PEM certificate. | 52 53 - `certificate-profile`: object containing profile for certificate to generate. Fields are documented [below](#certificate-profile-format). 54 55 Example: 56 57 ```yaml 58 ceremony-type: root 59 pkcs11: 60 module: /usr/lib/opensc-pkcs11.so 61 store-key-in-slot: 0 62 store-key-with-label: root signing key 63 key: 64 type: ecdsa 65 ecdsa-curve: P-384 66 outputs: 67 public-key-path: /home/user/root-signing-pub.pem 68 certificate-path: /home/user/root-cert.pem 69 certificate-profile: 70 signature-algorithm: ECDSAWithSHA384 71 common-name: CA intermediate 72 organization: good guys 73 country: US 74 not-before: 2020-01-01 12:00:00 75 not-after: 2040-01-01 12:00:00 76 key-usages: 77 - Cert Sign 78 - CRL Sign 79 ``` 80 81 This config generates a ECDSA P-384 key in the HSM with the object label `root signing key` and uses this key to sign a self-signed certificate. The public key for the key generated is written to `/home/user/root-signing-pub.pem` and the certificate is written to `/home/user/root-cert.pem`. 82 83 ### Intermediate ceremony 84 85 - `ceremony-type`: string describing the ceremony type, `intermediate`. 86 - `pkcs11`: object containing PKCS#11 related fields. 87 88 | Field | Description | 89 | --- | --- | 90 | `module` | Path to the PKCS#11 module to use to communicate with a HSM. | 91 | `pin` | Specifies the login PIN, should only be provided if the HSM device requires one to interact with the slot. | 92 | `signing-key-slot` | Specifies which HSM object slot the signing key is in. | 93 | `signing-key-label` | Specifies the HSM object label for the signing keypair's public key. | 94 95 - `inputs`: object containing paths for inputs 96 97 | Field | Description | 98 | --- | --- | 99 | `issuer-certificate-path` | Path to PEM issuer certificate. | 100 | `public-key-path` | Path to PEM subject public key for certificate. | 101 102 - `outputs`: object containing paths to write outputs. 103 104 | Field | Description | 105 | --- | --- | 106 | `certificate-path` | Path to store signed PEM certificate. | 107 108 - `certificate-profile`: object containing profile for certificate to generate. Fields are documented [below](#certificate-profile-format). 109 110 Example: 111 112 ```yaml 113 ceremony-type: intermediate 114 pkcs11: 115 module: /usr/lib/opensc-pkcs11.so 116 signing-key-slot: 0 117 signing-key-label: root signing key 118 inputs: 119 issuer-certificate-path: /home/user/root-cert.pem 120 public-key-path: /home/user/intermediate-signing-pub.pem 121 outputs: 122 certificate-path: /home/user/intermediate-cert.pem 123 certificate-profile: 124 signature-algorithm: ECDSAWithSHA384 125 common-name: CA root 126 organization: good guys 127 country: US 128 not-before: 2020-01-01 12:00:00 129 not-after: 2040-01-01 12:00:00 130 crl-url: http://good-guys.com/crl 131 issuer-url: http://good-guys.com/root 132 policies: 133 - oid: 1.2.3 134 - oid: 4.5.6 135 key-usages: 136 - Digital Signature 137 - Cert Sign 138 - CRL Sign 139 ``` 140 141 This config generates an intermediate certificate signed by a key in the HSM, identified by the object label `root signing key` and the object ID `ffff`. The subject key used is taken from `/home/user/intermediate-signing-pub.pem` and the issuer is `/home/user/root-cert.pem`, the resulting certificate is written to `/home/user/intermediate-cert.pem`. 142 143 Note: Intermediate certificates always include the extended key usages id-kp-serverAuth as required by 7.1.2.2.g of the CABF Baseline Requirements. 144 145 ### Cross-Certificate ceremony 146 147 - `ceremony-type`: string describing the ceremony type, `cross-certificate`. 148 - `pkcs11`: object containing PKCS#11 related fields. 149 150 | Field | Description | 151 | --- | --- | 152 | `module` | Path to the PKCS#11 module to use to communicate with a HSM. | 153 | `pin` | Specifies the login PIN, should only be provided if the HSM device requires one to interact with the slot. | 154 | `signing-key-slot` | Specifies which HSM object slot the signing key is in. | 155 | `signing-key-label` | Specifies the HSM object label for the signing keypair's public key. | 156 157 - `inputs`: object containing paths for inputs 158 159 | Field | Description | 160 | --- | --- | 161 | `issuer-certificate-path` | Path to PEM issuer certificate. | 162 | `public-key-path` | Path to PEM subject public key for certificate. | 163 | `certificate-to-cross-sign-path` | Path to PEM self-signed certificate that this ceremony is a cross-sign of. | 164 165 - `outputs`: object containing paths to write outputs. 166 167 | Field | Description | 168 | --- | --- | 169 | `certificate-path` | Path to store signed PEM certificate. | 170 171 - `certificate-profile`: object containing profile for certificate to generate. Fields are documented [below](#certificate-profile-format). 172 173 Example: 174 175 ```yaml 176 ceremony-type: cross-certificate 177 pkcs11: 178 module: /usr/lib/opensc-pkcs11.so 179 signing-key-slot: 0 180 signing-key-label: root signing key 181 inputs: 182 issuer-certificate-path: /home/user/root-cert.pem 183 public-key-path: /home/user/root-signing-pub-2.pem 184 certificate-to-cross-sign-path: /home/user/root-cert-2.pem 185 outputs: 186 certificate-path: /home/user/root-cert-2-cross.pem 187 certificate-profile: 188 signature-algorithm: ECDSAWithSHA384 189 common-name: CA root 2 190 organization: good guys 191 country: US 192 not-before: 2020-01-01 12:00:00 193 not-after: 2040-01-01 12:00:00 194 crl-url: http://good-guys.com/crl 195 issuer-url: http://good-guys.com/root 196 policies: 197 - oid: 1.2.3 198 - oid: 4.5.6 199 key-usages: 200 - Digital Signature 201 - Cert Sign 202 - CRL Sign 203 ``` 204 205 This config generates a cross-sign of the already-created "CA root 2", issued from the similarly-already-created "CA root". The subject key used is taken from `/home/user/root-signing-pub-2.pem`. The EKUs and Subject Key Identifier are taken from `/home/user/root-cert-2-cross.pem`. The issuer is `/home/user/root-cert.pem`, and the Issuer and Authority Key Identifier fields are taken from that cert. The resulting certificate is written to `/home/user/root-cert-2-cross.pem`. 206 207 ### Cross-CSR ceremony 208 209 - `ceremony-type`: string describing the ceremony type, `cross-csr`. 210 - `pkcs11`: object containing PKCS#11 related fields. 211 212 | Field | Description | 213 | --- | --- | 214 | `module` | Path to the PKCS#11 module to use to communicate with a HSM. | 215 | `pin` | Specifies the login PIN, should only be provided if the HSM device requires one to interact with the slot. | 216 | `signing-key-slot` | Specifies which HSM object slot the signing key is in. | 217 | `signing-key-label` | Specifies the HSM object label for the signing keypair's public key. | 218 219 - `inputs`: object containing paths for inputs 220 221 | Field | Description | 222 | --- | --- | 223 | `public-key-path` | Path to PEM subject public key for certificate. | 224 225 - `outputs`: object containing paths to write outputs. 226 227 | Field | Description | 228 | --- | --- | 229 | `csr-path` | Path to store PEM CSR for cross-signing, optional. | 230 231 - `certificate-profile`: object containing profile for certificate to generate. Fields are documented [below](#certificate-profile-format). Should only include Subject related fields `common-name`, `organization`, `country`. 232 233 Example: 234 235 ```yaml 236 ceremony-type: cross-csr 237 pkcs11: 238 module: /usr/lib/opensc-pkcs11.so 239 signing-key-slot: 0 240 signing-key-label: intermediate signing key 241 inputs: 242 public-key-path: /home/user/intermediate-signing-pub.pem 243 outputs: 244 csr-path: /home/user/csr.pem 245 certificate-profile: 246 common-name: CA root 247 organization: good guys 248 country: US 249 ``` 250 251 This config generates a CSR signed by a key in the HSM, identified by the object label `intermediate signing key`, and writes it to `/home/user/csr.pem`. 252 253 ### Key ceremony 254 255 - `ceremony-type`: string describing the ceremony type, `key`. 256 - `pkcs11`: object containing PKCS#11 related fields. 257 258 | Field | Description | 259 | --- | --- | 260 | `module` | Path to the PKCS#11 module to use to communicate with a HSM. | 261 | `pin` | Specifies the login PIN, should only be provided if the HSM device requires one to interact with the slot. | 262 | `store-key-in-slot` | Specifies which HSM object slot the generated signing key should be stored in. | 263 | `store-key-with-label` | Specifies the HSM object label for the generated signing key. Both public and private key objects are stored with this label. | 264 265 - `key`: object containing key generation related fields. 266 267 | Field | Description | 268 | --- | --- | 269 | `type` | Specifies the type of key to be generated, either `rsa` or `ecdsa`. If `rsa` the generated key will have an exponent of 65537 and a modulus length specified by `rsa-mod-length`. If `ecdsa` the curve is specified by `ecdsa-curve`. | 270 | `ecdsa-curve` | Specifies the ECDSA curve to use when generating key, either `P-256`, `P-384`, or `P-521`. | 271 | `rsa-mod-length` | Specifies the length of the RSA modulus, either `2048` or `4096`. | 272 273 - `outputs`: object containing paths to write outputs. 274 275 | Field | Description | 276 | --- | --- | 277 | `public-key-path` | Path to store generated PEM public key. | 278 279 Example: 280 281 ```yaml 282 ceremony-type: key 283 pkcs11: 284 module: /usr/lib/opensc-pkcs11.so 285 store-key-in-slot: 0 286 store-key-with-label: intermediate signing key 287 key: 288 type: ecdsa 289 ecdsa-curve: P-384 290 outputs: 291 public-key-path: /home/user/intermediate-signing-pub.pem 292 ``` 293 294 This config generates an ECDSA P-384 key in the HSM with the object label `intermediate signing key`. The public key is written to `/home/user/intermediate-signing-pub.pem`. 295 296 ### CRL ceremony 297 298 - `ceremony-type`: string describing the ceremony type, `crl`. 299 - `pkcs11`: object containing PKCS#11 related fields. 300 301 | Field | Description | 302 | --- | --- | 303 | `module` | Path to the PKCS#11 module to use to communicate with a HSM. | 304 | `pin` | Specifies the login PIN, should only be provided if the HSM device requires one to interact with the slot. | 305 | `signing-key-slot` | Specifies which HSM object slot the signing key is in. | 306 | `signing-key-label` | Specifies the HSM object label for the signing keypair's public key. | 307 308 - `inputs`: object containing paths for inputs 309 310 | Field | Description | 311 | --- | --- | 312 | `issuer-certificate-path` | Path to PEM issuer certificate. | 313 314 - `outputs`: object containing paths to write outputs. 315 316 | Field | Description | 317 | --- | --- | 318 | `crl-path` | Path to store signed PEM CRL. | 319 320 - `crl-profile`: object containing profile for the CRL. 321 322 | Field | Description | 323 | --- | --- | 324 | `this-update` | Specifies the CRL thisUpdate date, in the format `2006-01-02 15:04:05`. The time will be interpreted as UTC. | 325 | `next-update` | Specifies the CRL nextUpdate date, in the format `2006-01-02 15:04:05`. The time will be interpreted as UTC. | 326 | `number` | Specifies the CRL number. Each CRL should have a unique monotonically increasing number. | 327 | `revoked-certificates` | Specifies any revoked certificates that should be included in the CRL. May be empty. If present it should be a list of objects with the fields `certificate-path`, containing the path to the revoked certificate, `revocation-date`, containing the date the certificate was revoked, in the format `2006-01-02 15:04:05`, and `revocation-reason`, containing a non-zero CRLReason code for the revocation taken from RFC 5280. | 328 329 Example: 330 331 ```yaml 332 ceremony-type: crl 333 pkcs11: 334 module: /usr/lib/opensc-pkcs11.so 335 signing-key-slot: 0 336 signing-key-label: root signing key 337 inputs: 338 issuer-certificate-path: /home/user/root-cert.pem 339 outputs: 340 crl-path: /home/user/crl.pem 341 crl-profile: 342 this-update: 2020-01-01 12:00:00 343 next-update: 2021-01-01 12:00:00 344 number: 80 345 revoked-certificates: 346 - certificate-path: /home/user/revoked-cert.pem 347 revocation-date: 2019-12-31 12:00:00 348 ``` 349 350 This config generates a CRL that must only contain subordinate CA certificates signed by a key in the HSM, identified by the object label `root signing key` and object ID `ffff`. The CRL will have the number `80` and will contain revocation information for the certificate `/home/user/revoked-cert.pem`. Each of the revoked certificates provided are checked to ensure they have the `IsCA` flag set to `true`. 351 352 ### Certificate profile format 353 354 The certificate profile defines a restricted set of fields that are used to generate root and intermediate certificates. 355 356 | Field | Description | 357 | --- | --- | 358 | `signature-algorithm` | Specifies the signing algorithm to use, one of `SHA256WithRSA`, `SHA384WithRSA`, `SHA512WithRSA`, `ECDSAWithSHA256`, `ECDSAWithSHA384`, `ECDSAWithSHA512` | 359 | `common-name` | Specifies the subject commonName | 360 | `organization` | Specifies the subject organization | 361 | `country` | Specifies the subject country | 362 | `not-before` | Specifies the certificate notBefore date, in the format `2006-01-02 15:04:05`. The time will be interpreted as UTC. | 363 | `not-after` | Specifies the certificate notAfter date, in the format `2006-01-02 15:04:05`. The time will be interpreted as UTC. | 364 | `crl-url` | Specifies the cRLDistributionPoints URL | 365 | `issuer-url` | Specifies the AIA caIssuer URL | 366 | `policies` | Specifies contents of a certificatePolicies extension. Should contain a list of policies with the field `oid`, indicating the policy OID. | 367 | `key-usages` | Specifies list of key usage bits should be set, list can contain `Digital Signature`, `CRL Sign`, and `Cert Sign` |