msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
09e808fb85430519aaf77097273c7d02e7bcca5200b10eb46d740a4c2e3c7072
CISS.debian.installer/upgrades/secure-boot/ciss-sb-pki.cnf
Marc S. Weidner e8d69f1fa1
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m43s
Details
V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-13 20:14:15 +01:00

153 lines
6.7 KiB
INI
Raw Blame History

# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# Keep the corresponding ROOT CA strict offline, offsite and air-gapped and maybe in a HSM or at least encrypted in a vault.
#
# The firmware does not check "whether KEK originates from PK in terms of certificate logic." It only checks whether the
# update message (authenticated variable) has been correctly signed by an authorized key.
# This is procedural authorization, not PKI path validation.
#
# CISS CA order, useful, but optional for UEFI
# The scheme (Root CA → PK / KEK / db-CA → db-Leaf) is excellent for governance, rotation, and offsite security.
# However, the following is sufficient for the firmware:
# PK : Self-signed, long runtime.
# KEK: List with your KEK and (recommended) Microsoft KEK so that you can continue to accept official dbx updates.
# db : At least your db-CA (or even the db-Leaf), this allows you to sign shim/GRUB/Kernel yourself.
# Optionally, add "MS UEFI CA 2011 (for MS-signed shim/Windows)", but only if you really want to.
[ new_oids ]
encryptedClearance = 2.5.4.55.2
[ ca ]
default_ca = ciss_sb
[ ciss_sb ]
dir = /root/.ciss/SB/CA
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
private_key = $dir/private/ciss-sb-ca.key.pem
certificate = $dir/certs/ciss-sb-ca.crt.pem
default_md = sha512
default_days = 7305
unique_subject = no
email_in_dn = no
copy_extensions = copy
policy = policy_strict
[ policy_strict ]
commonName = supplied
organizationName = supplied
organizationalUnitName = supplied
countryName = supplied
stateOrProvinceName = optional
localityName = supplied
[ req ]
prompt = yes
encrypt_key = no
default_bits = 4096
default_md = sha512
string_mask = utf8only
distinguished_name = req_distinguished_name
# For CA self-signed cert:
x509_extensions = v3_ca
[ req_distinguished_name ]
commonName = Common Name
commonName_max = 64
organizationName = Organization Name
organizationName_max = 64
organizationalUnitName = Organizational Unit Name
organizationalUnitName_max = 64
countryName = Country Name (ISO 3166-1 alpha-2 (2 letter code))
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province or Canton (ISO 3166-2 (2 letter code))
stateOrProvinceName_min = 2
stateOrProvinceName_max = 64
localityName = Locality e.g., City
localityName_max = 64
organizationIdentifier = ID provided by Registration Authority e.g. Court, ECB, NTR
organizationIdentifier_max = 64
clearance = Clearance
clearance_max = 64
serialNumber = QSCD Serial Number
serialNumber_max = 64
############################### = 1234567890123456789012345678901234567890123456789012345678901234
commonName_default = CISS Secure Boot Root CA 2025 RSA 4096
organizationName_default = Centurion Intelligence Consulting Agency
organizationalUnitName_default = CISO
organizationIdentifier_default = VATPT-307086887
countryName_default = PT
stateOrProvinceName_default = Distrito de Lisboa
localityName_default = Lisboa
generationQualifier_default = xFF00
uniqueIdentifier_default = BEDF772DB22A3EF24B432A7DDB34DA9C
[ v3_ca ]
basicConstraints = critical, CA:true
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
authorityInfoAccess = @ciss_sb_pki
certificatePolicies = 2.5.29.32.0, @ciss_sb_policy
nsComment = "CISS Secure Boot Root CA 2025 RSA 4096"
[ v3_pk ]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
authorityInfoAccess = @ciss_sb_pki
certificatePolicies = @ciss_sb_policy
crlDistributionPoints = @ciss_sb_root_crl
nsComment = "UEFI Platform Key (PK), RSA-3072, SHA-384"
[ v3_kek ]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
authorityInfoAccess = @ciss_sb_pki
certificatePolicies = @ciss_sb_policy
crlDistributionPoints = @ciss_sb_root_crl
nsComment = "UEFI Key-Exchange Key (KEK), RSA-3072, SHA-384"
[ v3_db_CA ]
basicConstraints = critical, CA:true, pathlen:1
keyUsage = critical, digitalSignature, keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
authorityInfoAccess = @ciss_sb_pki
certificatePolicies = @ciss_sb_policy
crlDistributionPoints = @ciss_sb_root_crl
nsComment = "UEFI db Trust Anchor (CA) for Image code-signers"
[ ciss_sb_pki ]
caIssuers;URI.0 = https://ca.quantumsign.eu/
[ ciss_sb_policy ]
policyIdentifier = 1.3.6.1.4.1.59634.100.100.100.100
CPS.0 = "https://policy.quantumsign.eu/"
[ ciss_sb_root_crl ]
fullname = URI:https://crl.quantumign.eu/
reasons = keyCompromise, CACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn, AACompromise
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
Reference in New Issue View Git Blame Copy Permalink