openstack
/
anchor
Code Issues Proposed changes
RETIRED - An Ephemeral PKI system that can act as a trust anchor for OpenStack PKI operations
17 Commits 1 Branch 3 Tags 3.2 MiB
Go to file
Stanislaw Pitucha 3f976af695 Ignore the generated files 2014-03-28 10:59:23 +00:00
CA Move CA stuff into a dir 2014-03-21 14:04:20 +00:00
certs Add serial number handling 2014-03-21 14:30:23 +00:00
ephemeral_ca Some function docstrings 2014-03-26 17:46:53 +00:00
.gitignore Ignore the generated files 2014-03-28 10:59:23 +00:00
README.md Fix escaping 2014-03-26 18:04:57 +00:00
config.cfg.sample Validate service group against ldap group 2014-03-26 17:05:10 +00:00
setup.py Revert to simple python-ldap, authentication works 2014-03-25 18:54:28 +00:00

README.md

Ephemeral CA

This service generates quickly expiring certificates for a given CA. The validity period can be set in the config file with hour resolution.

There are checks done against the certificate inside of the validate() function. Currently some of the checks are: is the domain in CN ending with one of the suffixes allowed n the config file and does the server prefix match the ldap user's team (for example is "nv-..." requested by a member of "Nova_Team".

Installation

This service requires either a python virtual environment and python/ssl/ldap/sasl development system packages, or system python-ldap, python-flask packages.

For virtual environment run:

virtualenv .venv
. .venv/bin/activate
./setup.py develop

The config file should be copied from config.cfg.sample to ephemeral_ca/config.cfg with any details updated.

The service can be run with:

ephemeral_ca_server

To test the service, generate the certificate request and submit it using curl:

openssl req -text -newkey rsa:384 -nodes -out some.name.hpcloud.net.csr
curl http://0:5000/sign -F user=sso_username -F secret=sso_password -F encoding=pem -F 'csr=<some.name.hpcloud.net.csr'