2015-07-12 19:22:10 +00:00
Certidude
=========
2015-10-08 11:23:33 +00:00
.. image :: https://travis-ci.org/laurivosandi/certidude.svg?branch=master
:target: https://travis-ci.org/laurivosandi/certidude
.. image :: http://codecov.io/github/laurivosandi/certidude/coverage.svg?branch=master
:target: http://codecov.io/github/laurivosandi/certidude?branch=master
2015-07-26 20:34:46 +00:00
Introduction
------------
Certidude is a novel X.509 Certificate Authority management tool
2015-08-16 15:09:06 +00:00
with privilege isolation mechanism and Kerberos authentication aiming to
2015-07-26 20:34:46 +00:00
eventually support PKCS#11 and in far future WebCrypto.
2015-08-16 15:09:06 +00:00
.. figure :: doc/usecase-diagram.png
2015-07-26 20:34:46 +00:00
2016-03-27 20:38:14 +00:00
Certidude is mainly designed for VPN gateway operators to make
desktop/laptop VPN setup as easy as possible.
User certificate management eg. for HTTPS is also made reasonably simple.
2015-08-22 20:19:30 +00:00
For a full-blown CA you might want to take a look at
`EJBCA <http://www.ejbca.org/features.html> `_ or
`OpenCA <https://pki.openca.org/> `_ .
2015-07-26 20:34:46 +00:00
Features
--------
2016-03-27 20:38:14 +00:00
Common:
2015-07-26 20:34:46 +00:00
* Standard request, sign, revoke workflow via web interface.
2016-03-27 20:38:14 +00:00
* Kerberos and basic auth based web interface authentication.
* PAM and Active Directory compliant authentication backends: Kerberos single sign-on, LDAP simple bind.
* POSIX groups and Active Directory (LDAP) group membership based authorization.
* Command-line interface, check out `` certidude list `` .
2015-07-26 20:34:46 +00:00
* Privilege isolation, separate signer process is spawned per private key isolating
private key use from the the web interface.
2016-03-27 20:38:14 +00:00
* Certificate serial numbers are intentionally randomized to avoid leaking information about business practices.
* Server-side events support via `nchan <https://nchan.slact.net/> `_ .
* E-mail notifications about pending, signed and revoked certificates.
2015-07-26 20:34:46 +00:00
2016-03-27 20:38:14 +00:00
Virtual private networking:
2015-07-26 20:34:46 +00:00
2016-03-27 20:38:14 +00:00
* OpenVPN integration, check out `` certidude setup openvpn server `` and `` certidude setup openvpn client `` .
* strongSwan integration, check out `` certidude setup strongswan server `` and `` certidude setup strongswan client `` .
* NetworkManager integration, check out `` certidude setup openvpn networkmanager `` and `` certidude setup strongswan networkmanager `` .
2015-07-26 20:34:46 +00:00
2016-03-27 20:38:14 +00:00
HTTPS:
* P12 bundle generation for web browsers, seems to work well with Android
* HTTPS server setup with client verification, check out `` certidude setup nginx ``
2015-08-22 20:19:30 +00:00
TODO
----
* `OCSP <https://tools.ietf.org/html/rfc4557> `_ support, needs a bit hacking since OpenSSL wrappers are not exposing the functionality.
* `SECP <https://tools.ietf.org/html/draft-nourse-scep-23> `_ support, a client implementation available `here <https://github.com/certnanny/sscep> `_ . Not sure if we can implement server-side events within current standard.
2015-07-26 20:34:46 +00:00
* Deep mailbox integration, eg fetch CSR-s from mailbox via IMAP.
* WebCrypto support, meanwhile check out `hwcrypto.js <https://github.com/open-eid/hwcrypto.js> `_ .
* Certificate push/pull, making it possible to sign offline.
* PKCS#11 hardware token support for signatures at command-line.
2015-08-22 20:19:30 +00:00
* Ability to send `` .ovpn `` bundle URL tokens via e-mail, for simplified VPN adoption.
* Cronjob for deleting expired certificates
* Signer process logging.
2015-07-12 19:22:10 +00:00
2016-03-27 20:38:14 +00:00
2015-07-12 19:22:10 +00:00
Install
-------
To install Certidude:
.. code :: bash
2016-03-29 19:03:27 +00:00
apt-get install -y python python-pip python-dev cython \
python-cffi python-configparser \
2016-03-21 21:42:39 +00:00
python-pysqlite2 python-mysql.connector python-ldap \
build-essential libffi-dev libssl-dev libkrb5-dev \
2016-03-27 21:00:41 +00:00
ldap-utils krb5-user \
2016-09-17 21:00:14 +00:00
libsasl2-modules-gssapi-mit \
libsasl2-dev libldap2-dev
2016-03-27 21:00:41 +00:00
pip install certidude
2015-08-13 08:11:08 +00:00
2015-07-12 19:22:10 +00:00
2016-03-27 20:38:14 +00:00
Setting up authority
--------------------
2015-07-12 19:22:10 +00:00
2016-03-27 20:38:14 +00:00
First make sure the machine used for certificate authority has fully qualified
2015-11-15 14:55:26 +00:00
domain name set up properly.
You can check it with:
2015-12-12 22:34:08 +00:00
.. code :: bash
2016-03-21 21:42:39 +00:00
hostname -f
2015-11-15 14:55:26 +00:00
2016-03-29 19:03:27 +00:00
The command should return `` ca.example.com `` .
If necessary tweak machine's fully qualified hostname in `` /etc/hosts `` :
.. code ::
127.0.0.1 localhost
127.0.1.1 ca.example.com ca
2016-09-17 21:00:14 +00:00
Then proceed to install `nchan <https://nchan.slact.net/> `_ :
2016-03-29 19:03:27 +00:00
.. code :: bash
2016-09-17 21:00:14 +00:00
wget https://nchan.slact.net/download/nginx-common.deb \
https://nchan.slact.net/download/nginx-extras.deb
2016-03-29 19:03:27 +00:00
dpkg -i nginx-common.deb nginx-extras.deb
2016-09-17 21:00:14 +00:00
apt-get -f install
2015-11-15 14:55:26 +00:00
2016-03-29 19:03:27 +00:00
Certidude can set up certificate authority relatively easily.
Following will set up certificate authority in `` /var/lib/certidude/hostname.domain.tld `` ,
2016-09-17 21:00:14 +00:00
configure gunicorn service for your platform,
2016-03-29 19:03:27 +00:00
nginx in `` /etc/nginx/sites-available/certidude.conf `` ,
cronjobs in `` /etc/cron.hourly/certidude `` and much more:
2015-07-12 19:22:10 +00:00
.. code :: bash
2015-11-15 14:55:26 +00:00
certidude setup authority
2015-07-12 19:22:10 +00:00
2016-03-29 19:03:27 +00:00
Tweak the configuration in `` /etc/certidude/server.conf `` until you meet your requirements and
2016-01-10 17:51:54 +00:00
spawn the signer process:
2015-08-13 08:11:08 +00:00
.. code :: bash
2016-01-15 09:18:27 +00:00
certidude signer spawn
2015-08-13 08:11:08 +00:00
2016-03-29 19:03:27 +00:00
Finally restart services:
2015-07-12 19:22:10 +00:00
.. code :: bash
2016-03-29 19:03:27 +00:00
service nginx restart
service uwsgi restart
2015-07-26 20:34:46 +00:00
Certificate management
----------------------
Use following command to request a certificate on a machine:
.. code ::
2015-11-15 14:55:26 +00:00
certidude setup client ca.example.com
2015-07-26 20:34:46 +00:00
2016-01-10 17:51:54 +00:00
Use following to list signing requests, certificates and revoked certificates on server:
2015-07-26 20:34:46 +00:00
.. code ::
certidude list
2016-01-10 17:51:54 +00:00
Use web interface or following to sign a certificate on server:
2015-07-26 20:34:46 +00:00
.. code ::
certidude sign client-hostname-or-common-name
2016-03-27 21:00:41 +00:00
Setting up Active Directory authentication
------------------------------------------
2015-08-16 14:21:42 +00:00
Following assumes you have already set up Kerberos infrastructure and
Certidude is simply one of the servers making use of that infrastructure.
Install dependencies:
.. code :: bash
apt-get install samba-common-bin krb5-user ldap-utils
2016-09-17 21:00:14 +00:00
Reset Samba client configuration in `` /etc/samba/smb.conf `` , adjust
workgroup and realm accordingly:
2015-08-16 14:21:42 +00:00
.. code :: ini
[global]
security = ads
2015-09-01 17:25:20 +00:00
netbios name = CA
workgroup = EXAMPLE
2016-03-29 19:03:27 +00:00
realm = EXAMPLE.COM
2015-08-16 14:21:42 +00:00
kerberos method = system keytab
2016-03-21 21:42:39 +00:00
Reset Kerberos configuration in `` /etc/krb5.conf `` :
.. code :: ini
[libdefaults]
2016-03-29 19:03:27 +00:00
default_realm = EXAMPLE.COM
2016-03-21 21:42:39 +00:00
dns_lookup_realm = true
dns_lookup_kdc = true
2016-09-17 21:00:14 +00:00
Reset LDAP configuration in /etc/ldap/ldap.conf:
.. code :: bash
BASE dc=example,dc=com
URI ldap://dc1.example.com
2016-03-21 21:42:39 +00:00
Initialize Kerberos credentials:
.. code :: bash
kinit administrator
Join the machine to domain:
.. code :: bash
net ads join -k
2015-08-16 14:21:42 +00:00
Set up Kerberos keytab for the web service:
.. code :: bash
2016-03-21 21:42:39 +00:00
KRB5_KTNAME=FILE:/etc/certidude/server.keytab net ads keytab add HTTP -k
chown root:certidude /etc/certidude/server.keytab
chmod 640 /etc/certidude/server.keytab
2015-08-16 14:21:42 +00:00
2016-03-27 20:38:14 +00:00
Reconfigure /etc/certidude/server.conf:
2015-08-16 14:21:42 +00:00
2016-03-27 20:38:14 +00:00
.. code :: ini
2015-08-16 14:21:42 +00:00
2016-03-27 20:38:14 +00:00
[authentication]
backends = kerberos
2015-08-16 14:21:42 +00:00
2016-03-27 20:38:14 +00:00
[authorization]
backend = ldap
ldap gssapi credential cache = /run/certidude/krb5cc
ldap user filter = (&(objectclass=user)(objectcategory=person)(samaccountname=%s))
2016-03-27 21:00:41 +00:00
ldap admin filter = (&(memberOf=cn=Domain Admins,cn=Users,dc=example,dc=com)(samaccountname=%s))
2015-08-16 14:21:42 +00:00
2016-03-27 20:38:14 +00:00
User filter here specified which users can log in to Certidude web interface
at all eg. for generating user certificates for HTTPS.
Admin filter specifies which users are allowed to sign and revoke certificates.
Adjust admin filter according to your setup.
Also make sure there is cron.hourly job for creating GSSAPI credential cache -
that's necessary for querying LDAP using Certidude machine's credentials.
2015-10-17 17:42:59 +00:00
2016-09-17 21:00:14 +00:00
Common pitfalls:
* Following error message may mean that the IP address of the web server does not match the IP address used to join
the CA machine to domain, eg when you're running CA behind SSL terminating web server:
Bad credentials: Unspecified GSS failure. Minor code may provide more information (851968)
2015-10-17 17:42:59 +00:00
Automating certificate setup
----------------------------
Ubuntu 14.04 based desktops come with NetworkManager installed.
Create `` /etc/NetworkManager/dispatcher.d/certidude `` with following content:
.. code :: bash
#!/bin/sh -e
# Set up certificates for IPSec connection
case "$2" in
up)
2016-03-27 20:38:14 +00:00
LANG=C.UTF-8 /usr/local/bin/certidude request spawn -k
2015-10-17 17:42:59 +00:00
;;
esac
Finally make it executable:
.. code :: bash
chmod +x /etc/NetworkManager/dispatcher.d/certidude
Whenever a wired or wireless connection is brought up,
the dispatcher invokes `` certidude `` in order to generate RSA keys,
submit CSR, fetch signed certificate,
2016-03-27 20:38:14 +00:00
create NetworkManager configuration for the VPN connection.
2016-01-25 09:18:19 +00:00
Development
-----------
Clone the repository:
.. code :: bash
git clone https://github.com/laurivosandi/certidude
cd certidude
2016-03-21 21:42:39 +00:00
Install dependencies as shown above and additionally:
.. code :: bash
pip install -r requirements.txt
2016-01-25 09:18:19 +00:00
To generate templates:
.. code :: bash
apt-get install npm nodejs
2016-03-21 21:42:39 +00:00
sudo ln -s nodejs /usr/bin/node # Fix 'env node' on Ubuntu 14.04
npm install -g nunjucks
nunjucks-precompile --include "\\.html$" --include "\\.svg$" certidude/static/ > certidude/static/js/templates.js
2016-01-25 09:18:19 +00:00
To run from source tree:
.. code :: bash
2016-03-29 19:03:27 +00:00
PYTHONPATH=. KRB5CCNAME=/run/certidude/krb5cc KRB5_KTNAME=/etc/certidude/server.keytab LANG=C.UTF-8 python misc/certidude
2016-01-25 09:18:19 +00:00
To install the package from the source:
.. code :: bash
2016-03-21 21:42:39 +00:00
python setup.py install --single-version-externally-managed --root /