Closed mmaymann closed 1 year ago
Hi! I'm on the Smallstep team. Thanks for opening an issue.
Could you please elaborate on your use case, and the functionality you think step-ca
would need to meet it?
I belive it's possible to use step-ca
to issue EAP-TLS certificates for Linux, with TPM-stored private keys, by using step-kms-plugin
and wpa_supplicant
's PKCS 11 support + TPM2 tools.
But, your particular application sounds a bit more involved.
Hi Carl, Thanks for your reply :)
The functionality I wish to achieve is remote device attestation (2.):
I have given my GoldenPath version of a XIoT Zero-Conf|Trust|Touch target architecture directly from network devices. Suggestions/enhancements would be highly appreciated :)
Thanks in advance :)
Our software can support leveraging TPM attestation certificates as part of a PKI strategy that requires strong device identity. If you need EAP-TLS X.509 client certificates that identify a device to the network, you may want to set up a Smallstep CA that devices can enroll with.
If I'm understanding correctly, it sounds like you're also looking for remote boot attestation and integrity monitoring features, which is not really our sweet spot. For that, I think you will need signed TPM PCR quotes to attest some of the things you want to know about a system's state. Keylime may be a better fit for that component. I haven't looked closely at it in a while, but I think it can help you get remote attestations that the system is in a good runtime state.
Hi Carl, Thanks again for your reply :) It seems TPM PCR is the thing I need to query maybe using Spiffe/Spire? I have created a ticket for them https://github.com/spiffe/spire/issues/4281 Thanks for your help :)
TPM 802.1x EAP-TLS X.509:
https://github.com/sonic-net/SONiC/issues/1362