A New Kind of Root CA For Code Signing
fulcio is a free Root-CA for code signing certs - issuing certificates based on an OIDC email address.
fulcio only signs short-lived certificates that are valid for under 20 minutes.
Fulcio is a work in progress!
We're currently working hard on cutting a 1.0 release and productionizing the public instance. We don't have a date yet, but follow along on the GitHub project.
The fulcio root certificate running on our public instance (https://fulcio.sigstore.dev) can be obtained and verified against Sigstore's root (at the sigstore/root-signing repository). To do this, install and use go-tuf's CLI tools:
$ go get github.com/theupdateframework/go-tuf/cmd/tuf
$ go get github.com/theupdateframework/go-tuf/cmd/tuf-client
Then, obtain trusted root keys for Sigstore. This can be done from a checkout of the Sigstore's root signing repository at a trusted commit (e.g. after the livestreamed root signing ceremony)
$ git clone https://github.com/sigstore/root-signing
$ cd root-signing && git checkout 193343461a4d365ac517b5d668e01fbaddd4eba5
$ tuf -d ceremony/2021-06-18/ root-keys > sigstore-root.json
Initialize the TUF client with the previously obtained root keys and get the current Fulcio root certificate fulcio_v1.crt.pem
.
$ tuf-client init https://raw.githubusercontent.com/sigstore/root-signing/main/repository/repository/ sigstore-root.json
$ tuf-client get https://raw.githubusercontent.com/sigstore/root-signing/main/repository/repository/ fulcio_v1.crt.pem
-----BEGIN CERTIFICATE-----
MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw
KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
MTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl
LmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7
XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex
X69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j
YzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY
wB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ
KsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM
WP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9
TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ
-----END CERTIFICATE-----
We WILL change this and add intermediaries in the future.
After cloning the repository:
$ make
There are other targets available in the Makefile
, check it out.
The API is defined here.
Fulcio will publish issued certificates to a unique Certificate Transparency log (CT-log). That log will be hosted by the sigstore project.
We encourage auditors to monitor this log, and aim to help people access the data.
A simple example would be a service that emails users (on a different address) when ceritficates have been issued on their behalf. This can then be used to detect bad behavior or possible compromise.
The public Fulcio root CA is currently running on GCP CA Service with the EC_P384_SHA384 algorithm.
You can also run Fulcio with your own CA on CA Service by passing in a parent and specifying Google as the CA:
go run main.go serve --ca googleca --gcp_private_ca_parent=projects/myproject/locations/us-central1/caPools/mypool
Fulcio may also be used with a pkcs11 capable device such as a SoftHSM. You will also need pkcs11-tool
To configure a SoftHSM:
Create a config/crypto11.conf
file:
{
"Path" : "/usr/lib64/softhsm/libsofthsm.so",
"TokenLabel": "fulcio",
"Pin" : "2324"
}
And a config/softhsm2.conf
directories.tokendir = /tmp/tokens
objectstore.backend = file
log.level = INFO
Export the config/softhsm2.conf
export SOFTHSM2_CONF=`pwd`/config/softhsm2.cfg
softhsm2-util --init-token --slot 0 --label fulcio
pkcs11-tool --module /usr/lib64/softhsm/libsofthsm.so --login --login-type user --keypairgen --id 1 --label PKCS11CA --key-type EC:secp384r1
- Note: you can import existing keys and import using pkcs11-tool, see pkcs11-tool manual for details
Now that your keys are generated, you can use the fulcio createca
command to generate a Root CA. This command
will also store the generated Root CA into the HSM by the delegated id passed to --hsm-caroot-id
fulcio createca --org=acme --country=UK --locality=SomeTown --province=SomeProvince --postal-code=XXXX --street-address=XXXX --hsm-caroot-id 99 --out myrootCA.pem
fulcio serve --ca pkcs11ca --hsm-caroot-id 99
⚠️ A SoftHSM does not provide the same security guarantees as hardware based HSM Use for test development purposes only.
NOTE
PKCS11CA has only been validated against a SoftHSM. In theory this should also work with all PCKS11 compliant HSM's, but to date we have only tested against a SoftHSM.
Support will be extended to the following CA / KMS systems, feel free to contribute to expedite support coverage
Planned support for:
- AWS CloudHSM
- Azure Dedicated HSM
- YubiHSM
Should you discover any security issues, please refer to sigstores security process
Fulcio
is developed as part of the sigstore
project.
We also use a slack channel! Click here for the invite link.