# SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu # Keep the corresponding ROOT CA strict offline, offsite and air-gapped and maybe in a HSM or at least encrypted in a vault. # # The firmware does not check "whether KEK originates from PK in terms of certificate logic." It only checks whether the # update message (authenticated variable) has been correctly signed by an authorized key. # This is procedural authorization, not PKI path validation. # # CISS CA order, useful, but optional for UEFI # The scheme (Root CA → PK / KEK / db-CA → db-Leaf) is excellent for governance, rotation, and offsite security. # However, the following is sufficient for the firmware: # PK : Self-signed, long runtime. # KEK: List with your KEK and (recommended) Microsoft KEK so that you can continue to accept official dbx updates. # db : At least your db-CA (or even the db-Leaf), this allows you to sign shim/GRUB/Kernel yourself. # Optionally, add "MS UEFI CA 2011 (for MS-signed shim/Windows)", but only if you really want to. [ new_oids ] encryptedClearance = 2.5.4.55.2 [ ca ] default_ca = ciss_sb [ ciss_sb ] dir = /root/.ciss/SB/CA certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/index.txt serial = $dir/serial RANDFILE = $dir/private/.rand private_key = $dir/private/ciss-sb-ca.key.pem certificate = $dir/certs/ciss-sb-ca.crt.pem default_md = sha512 default_days = 7305 unique_subject = no email_in_dn = no copy_extensions = copy policy = policy_strict [ policy_strict ] commonName = supplied organizationName = supplied organizationalUnitName = supplied countryName = supplied stateOrProvinceName = optional localityName = supplied [ req ] prompt = yes encrypt_key = no default_bits = 4096 default_md = sha512 string_mask = utf8only distinguished_name = req_distinguished_name # For CA self-signed cert: x509_extensions = v3_ca [ req_distinguished_name ] commonName = Common Name commonName_max = 64 organizationName = Organization Name organizationName_max = 64 organizationalUnitName = Organizational Unit Name organizationalUnitName_max = 64 countryName = Country Name (ISO 3166-1 alpha-2 (2 letter code)) countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province or Canton (ISO 3166-2 (2 letter code)) stateOrProvinceName_min = 2 stateOrProvinceName_max = 64 localityName = Locality e.g., City localityName_max = 64 organizationIdentifier = ID provided by Registration Authority e.g. Court, ECB, NTR organizationIdentifier_max = 64 clearance = Clearance clearance_max = 64 serialNumber = QSCD Serial Number serialNumber_max = 64 ############################### = 1234567890123456789012345678901234567890123456789012345678901234 commonName_default = CISS Secure Boot Root CA 2025 RSA 4096 organizationName_default = Centurion Intelligence Consulting Agency organizationalUnitName_default = CISO organizationIdentifier_default = VATPT-307086887 countryName_default = PT stateOrProvinceName_default = Distrito de Lisboa localityName_default = Lisboa generationQualifier_default = xFF00 uniqueIdentifier_default = BEDF772DB22A3EF24B432A7DDB34DA9C [ v3_ca ] basicConstraints = critical, CA:true keyUsage = critical, keyCertSign, cRLSign subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer authorityInfoAccess = @ciss_sb_pki certificatePolicies = 2.5.29.32.0, @ciss_sb_policy nsComment = "CISS Secure Boot Root CA 2025 RSA 4096" [ v3_pk ] basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, keyCertSign subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer authorityInfoAccess = @ciss_sb_pki certificatePolicies = @ciss_sb_policy crlDistributionPoints = @ciss_sb_root_crl nsComment = "UEFI Platform Key (PK), RSA-3072, SHA-384" [ v3_kek ] basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, keyCertSign subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer authorityInfoAccess = @ciss_sb_pki certificatePolicies = @ciss_sb_policy crlDistributionPoints = @ciss_sb_root_crl nsComment = "UEFI Key-Exchange Key (KEK), RSA-3072, SHA-384" [ ciss_sb_pki ] caIssuers;URI.0 = https://ca.quantumsign.eu/ [ ciss_sb_policy ] policyIdentifier = 1.3.6.1.4.1.59634.100.100.100.100 CPS.0 = "https://policy.quantumsign.eu/" [ ciss_sb_root_crl ] fullname = URI:https://crl.quantumign.eu/ reasons = keyCompromise, CACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn, AACompromise # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf