Skip to content

waggle-sensor/beekeeper-key-tools

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
.github/workflows
.github/workflows
 
 
ROOTFS/usr/bin
ROOTFS/usr/bin
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
unit-test.sh
unit-test.sh
 
 

Repository files navigation

Beekeeper Keys and Certificate Tools

This repository contains the tools used to create the keys and certificates used to establish secure communication channels between the nodes and the Beekeeper services.

The tools are executed through the waggle/beekeeper-key-tools docker container.

Initializing the Beekeeper Keys

The create-init-keys.sh script creates all the keys and certificates needed for Beekeeper / node registration process, including keys to enable admin access to both the Beekeeper and nodes.

Usage:

docker run --rm -it \
  -v ${PWD}:/workdir:rw \
  waggle/beekeeper-key-tools:latest \
  create-init-keys.sh

For details on script arguments:

docker run --rm -it \
  -v ${PWD}:/workdir:rw \
  waggle/beekeeper-key-tools:latest \
  create-init-keys.sh -?

The following keys/certs are created:

Beekeeper admin ssh key-pair [bk-admin-ssh-key]

This is the key-pair that is used by Beekeeper administrators to SSH to the Beekeeper service instance. This key is used during the reverse ssh (rssh) access chain to a node.

  • private key: needed by system administators requiring privileged Beekeeper access
  • public key: saved into the Beekeeper sshd instance authorized_keys file

Node ssh key-pair [node-ssh-key]

This is the key-pair used by system administrators to ssh to the nodes. This key is used during the reverse ssh (rssh) access chain to a node.

  • private key: needed by system administrators requiring privileged node access
  • public key: saved into the node's root user authorized_keys file

Beekeeper server key-pair and certificate [bk-server-key]

This is the Beekeeper key-pair and certificate that is saved to the Beeekeeper service instance. This CA signed certificate is used during the node's ssh connection to verify that the Beekeeper is the trusted server.

  • private key & certificate: saved into the Beekeeper sshd instance as the servers HostKey and HostCertificate

Beekeeper certificate authority key-pair [bk-ca]

This is the main Beekeeper certificate authority files used in the creation of certificates (i.e. node registration certificate).

  • private key: kept secret and used for future certificate creation (i.e. not registration certificates)
  • public key: save into the Beekeeper sshd instance as the servers TrustedUserCAKeys and into the node's /etc/ssh/ssh_known_hosts file

Node registration keys [node-registration-key]

This is the key-pair used by the node's upon registration to the Beekeeper.

Note: successful registration requires a node certificate.

Creating a Node Registration Certificate

The create-key-cert.sh script is used to create node registration certificates (signed by the Beekeeper certificate authority).

At a minimum the certification script requires the name of the "Beehive" the node is to be assigned to after registration.

docker run --rm -it \
  -v ${PWD}:/workdir:rw \
  waggle/beekeeper-key-tools:latest \
  create-key-cert.sh -b <beehive name>

Additional parameters can be specified such as the certificates "validity" time (see: 'validity_interval'). This example has the certificate valid for 1 day from the time it is created.

docker run --rm -it \
  -v ${PWD}:/workdir:rw \
  waggle/beekeeper-key-tools:latest \
  create-key-cert.sh -b <beehive_name> -e +1D

For details on other script arguments:

docker run --rm -it \
  -v ${PWD}:/workdir:rw \
  waggle/beekeeper-key-tools:latest \
  create-key-cert.sh -?

This will produce a folder (via the -o option) that contains 3 files

  • private registration key
  • public registration key
  • registration certificate

Note: the private and public registration key will be copied if the -k option is provided, otherwise created as a new key-pair.

Examples

Creating a CA with no password in a specific directory

docker run --rm -it \
  -v ${PWD}:/workdir:rw \
  waggle/beekeeper-key-tools:latest \
  create-init-keys.sh -o mydir -p
[NAISE-MAC07.localdomain] ~/workspace/waggle-sensor/beekeeper-key-tools$ ls mydir/
bk-admin-ssh-key	bk-ca			bk-server-key		node-registration-key	node-ssh-key

Create a new registration key-pair and certificate that expires in 1 week

The following command will generate a new registration key-pair and certificate (in the folder ./mydir-newreg) that expires in 1 week for the beehive-joe Beehive using the Beekeeper certificate authority (found in ./beekeeper-keys/bk-ca/beekeeper_ca_key)

docker run --rm -it \
  -v ${PWD}:/workdir:rw \
  waggle/beekeeper-key-tools:latest \
  create-key-cert.sh -b beehive-joe -e +1W -c beekeeper-keys/bk-ca/beekeeper_ca_key -o mydir-newreg
[NAISE-MAC07.localdomain] ~/workspace/waggle-sensor/beekeeper-key-tools$ ls mydir-newreg
sage_registration		sage_registration-cert.pub	sage_registration.pub
[NAISE-MAC07.localdomain] ~/workspace/waggle-sensor/beekeeper-key-tools$ ssh-keygen -L -f mydir-newreg/sage_registration-cert.pub
mydir-newreg/sage_registration-cert.pub:
        Type: [email protected] user certificate
        Public key: ED25519-CERT SHA256:cKEpwrxGKz35/gxyR67gi4PxoQpUvtbl6H1XgfuE8eI
        Signing CA: ED25519 SHA256:WagIaLh5GBstGJe3DSdXFA0NoCFwkcM6bUIvi/MxGTk (using ssh-ed25519)
        Key ID: "sage_registration"
        Serial: 0
        Valid: from 2022-07-20T23:31:00 to 2022-07-27T23:32:42
        Principals:
                sage_registration
        Critical Options:
                force-command /opt/sage/beekeeper/register/register.sh -b beehive-joe
        Extensions: (none)

Creating a registration certificate that expires in 1 day

The following command will generate a certificate (in the folder ./mydir-reg) for the registration keys (./mydir/node-registration-key/registration.pub) that expires in 1 day for the beehive-joe Beehive using the Beekeeper certificate authority (found in ./mydir/bk-ca/beekeeper_ca_key)

docker run --rm -it \
  -v ${PWD}:/workdir:rw \
  waggle/beekeeper-key-tools:latest \
  create-key-cert.sh -b beehive-joe -e +1D -c mydir/bk-ca/beekeeper_ca_key -k mydir/node-registration-key/registration.pub -o mydir-reg

Note: the above command uses the node registration key from the ./create-init-keys.sh script

[NAISE-MAC07.localdomain] ~/workspace/waggle-sensor/beekeeper-key-tools$ ls mydir-reg/
registration		registration-cert.pub	registration.pub
[NAISE-MAC07.localdomain] ~/workspace/waggle-sensor/beekeeper-key-tools$ ssh-keygen -L -f mydir-reg/registration-cert.pub
mydir-reg/registration-cert.pub:
        Type: [email protected] user certificate
        Public key: ED25519-CERT SHA256:/qrVNtRxYHYIjbvPgVK908R07XwOczjqtenB9wR3vDk
        Signing CA: ED25519 SHA256:25fS21u2zlr7JDI95CzmNsXdONZaBDVjFEhD6kWQ+qQ (using ssh-ed25519)
        Key ID: "sage_registration"
        Serial: 0
        Valid: from 2022-07-20T19:14:00 to 2022-07-21T19:15:41
        Principals:
                sage_registration
        Critical Options:
                force-command /opt/sage/beekeeper/register/register.sh -b beehive-joe
        Extensions: (none)

About

Houses the tools to create the beekeeper certificate authority keys, node registration keys, etc.

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

4 watching

Forks

0 forks
Report repository

Releases 2

Release 1.1.0 Latest
Jul 21, 2022
+ 1 release

Packages

 
 
 

Contributors

Languages