[Acme] looking for prior-art for "deploying" certificates to virtual machines
Michael Richardson <mcr@sandelman.ca> Sat, 22 May 2021 21:24 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DFFE3A1F9D for <acme@ietfa.amsl.com>; Sat, 22 May 2021 14:24:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.098
X-Spam-Level:
X-Spam-Status: No, score=0.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_TRY_3LD=1.997] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mx-wblrQCvKH for <acme@ietfa.amsl.com>; Sat, 22 May 2021 14:24:02 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E13C93A1F9B for <acme@ietf.org>; Sat, 22 May 2021 14:24:01 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 0BDBF38BA3 for <acme@ietf.org>; Sat, 22 May 2021 17:33:40 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Z4Jvg8MUtdCR for <acme@ietf.org>; Sat, 22 May 2021 17:33:39 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 39A3E38B8F for <acme@ietf.org>; Sat, 22 May 2021 17:33:39 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 617A5997 for <acme@ietf.org>; Sat, 22 May 2021 17:23:59 -0400 (EDT)
To: acme@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
From: Michael Richardson <mcr@sandelman.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <30386.1621718639.1@localhost>
Content-Transfer-Encoding: quoted-printable
Date: Sat, 22 May 2021 17:23:59 -0400
Message-ID: <30387.1621718639@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/WeNs64kz-J_kGkvLI2PUWOdvCik>
Subject: [Acme] looking for prior-art for "deploying" certificates to virtual machines
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 May 2021 21:24:07 -0000
There are lots of things out there about fTPMs for HyperV or ESX hosted VMs, (long in howto, short on details, alas), and many bits and pieces of documentation on cloud-init, particularly for installing root/.ssh/authorized_keys, but nothing specific I've found about deploying certificates to virtual machine appliances. It is clear that one could do this via cloud-init, but that there doesn't seem to be any kind of standard. Here is the scenario that I want to support: 1) user, aka IT administrator, downloads a vmdk/ova/qcow2 from the Internet. {or: selects EC2 AMI from palette in amazon VM store} 2) image is deployed on VM infrastructure, including, in particular, they could just boot it up on their desktop using VM Workstation, VirtualBox, virtmanager, or kvm -hda foo.qcow2. 3) rocker switch is put into MoreMagic<tm> setting { http://www.catb.org/jargon/html/magic-story.html } 4) VM boots up in bridged mode on the "LAN", and announces itself as "myawesomevm.local" http://myawesomevm.local, 301 redirect to https://myawesomevm-abcd4.cooldomain.com/ and happy admin continue doing MyAwsomeVM stuff via web browser. The IoTSF ManySecureWG has some ideas on how to make the https:// URL work for nicely. Christian Amsuess re-discovered a trick that seems to have been first done by https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/ Doing dns-01 challenges with a manufacturer is also an easy way to bootstrap into the above mentioned mechanism, and I wrote that up in an ID https://datatracker.ietf.org/doc/draft-richardson-homerouter-provisioning/ But, while these things explain how we get end-browser trust with the device, what it doesn't do is explain how this new VM is considered legitimate by whatever manager/author created it. There are some options: 1) a common keypair is built-in to the VM when the image is created. That is, every single VM has the same private key. This is used to "authenticate" some kind of enrollment with provisioning system. Such a "secret" is not really very secret, as really anyone can take the VM apart. (Sure, EC2 has some controls on who can get the AMI to take it apart. But, in general private cloud owners can and should look into the VMs they are running) 2) via cloud-init with some kind of secret provided out-of-band. I note that cloud-init can take things from ISO images, so the person downloading could actually download an ova file *as well* as some .iso image that they attach when booting. It seems that that this will work for "workstation" environments, but it seems tedious for the less clueful admins. 3) by having some dialog on the "console" where the virtual appliance perhaps calls home, and the administrator enters some token on that they got via some other interface (a registration web interface). This is commonly done for installation of license keys today, and in the past I've automated things for installation on physical machines. This could also work for EC2/Linode/DigitalOpen, if done by SSH. How is this really ACME related? Well, the goal is to finish by deploying an https certificate on the device. How is this really ANIMA related? Well, for me, this VM is either (a) new Registrar, (b) a virtual appliance as a Pledge, and so needs that IDevID. My ideal situation would be that someone would tell me that there is this standard in industry association AbscurelyBootedComputers which has convinced all the parties that this problem needs to be solved, and I can just "apt-get install kvm-abc" and I'd be done. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- [Acme] looking for prior-art for "deploying" cert… Michael Richardson
- Re: [Acme] looking for prior-art for "deploying" … Salz, Rich
- Re: [Acme] looking for prior-art for "deploying" … Michael Richardson