certidude/certidude/templates/certidude-server.conf

[authentication]
# The authentiction backend specifies how the user is authenticated,
# in case of 'pam' simplepam.authenticate is used to authenticate against
# sshd PAM service. In case of 'kerberos' SPNEGO is used to authenticate
# user against eg. Active Directory or Samba4.

backends = pam
;backends = kerberos
;backends = ldap
;backends = kerberos ldap
;backends = kerberos pam
ldap uri = ldaps://dc1.example.com

[accounts]
# The accounts backend specifies how the user's given name, surname and e-mail
# address are looked up. In case of 'posix' basically 'getent passwd' is performed,
# in case of 'ldap' a search is performed on LDAP server specified by ldap uri
# with Kerberos credential cache initialized at path specified by environment variable KRB5CCNAME
# If certidude setup authority was performed correctly the credential cache should be
# updated automatically by /etc/cron.hourly/certidude

backend = posix
;backend = ldap
ldap gssapi credential cache = /run/certidude/krb5cc
ldap uri = ldap://dc1.example.com
ldap base = {% if base %}{{ base }}{% else %}dc=example,dc=com{% endif %}

[authorization]
# The authorization backend specifies how the users are authorized.
# In case of 'posix' simply group membership is asserted,
# in case of 'ldap' search filter with username as placeholder is applied.

backend = posix
posix user group = users
posix admin group = sudo

;backend = ldap
ldap computer filter = (&(objectclass=user)(objectclass=computer)(samaccountname=%s))
ldap user filter = (&(objectclass=user)(objectcategory=person)(samaccountname=%s))
ldap admin filter = (&(memberOf=cn=Domain Admins,cn=Users,{% if base %}{{ base }}{% else %}dc=example,dc=com{% endif %})(samaccountname=%s))

# Users are allowed to log in from user subnets
user subnets = 0.0.0.0/0

# Authority administrators are allowed to sign and revoke certificates from these subnets
admin subnets = 0.0.0.0/0

# Certificate signing requests are allowed to be submitted from these subnets
request subnets = 0.0.0.0/0

# Certificates are automatically signed for these subnets
autosign subnets = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

[logging]
backend =

;backend = sql
database = sqlite://{{ directory }}/db.sqlite

[tagging]
backend =

;backend = sql
database = sqlite://{{ directory }}/db.sqlite

[leases]
backend =

;backend = sql
schema = strongswan
database = sqlite://{{ directory }}/db.sqlite

# Following was used on an OpenWrt router
# uci set openvpn.s2c.status=/www/status.log
# uci commit; touch /www/status.log; chmod 755 /www/status.log
;backend = openvpn-status
;openvpn status uri = /var/log/openvpn-status.log
openvpn status uri = http://router.example.com/status.log

[signature]
certificate lifetime = {{ certificate_lifetime }}
revocation list lifetime = {{ revocation_list_lifetime }}
certificate url = {{ certificate_url }}
revoked url = {{ revoked_url }}

[push]
event source token = {{ push_token }}
event source subscribe = {{ push_server }}/ev/sub/%s
event source publish = {{ push_server }}/ev/pub/%s
long poll subscribe = {{ push_server }}/lp/sub/%s
long poll publish = {{ push_server }}/lp/pub/%s

[authority]
# User certificate enrollment specifies whether logged in users are allowed to
# request bundles. In case of 'single allowed' the common name of the
# certificate is set to username, this should work well with REMOTE_USER
# enabled web apps running behind Apache/nginx.
# In case of 'multiple allowed' the common name is set to username@device-identifier.
;user certificate enrollment = forbidden
;user certificate enrollment = single allowed
user certificate enrollment = multiple allowed

private key path = {{ ca_key }}
certificate path = {{ ca_crt }}

requests dir = {{ directory }}/requests/
signed dir = {{ directory }}/signed/
revoked dir = {{ directory }}/revoked/
expired dir = {{ directory }}/expired/

outbox uri = {{ outbox }}
outbox sender name = Certificate management
outbox sender address = certificates@example.com

bundle format = p12
;bundle format = ovpn

openvpn bundle template = /etc/certidude/template.ovpn
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`[authentication]`
Fix CRL distriution points and add authority information access extensions 2016-03-29 09:29:15 +00:00			`# The authentiction backend specifies how the user is authenticated,`
			`# in case of 'pam' simplepam.authenticate is used to authenticate against`
			`# sshd PAM service. In case of 'kerberos' SPNEGO is used to authenticate`
			`# user against eg. Active Directory or Samba4.`

Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`backends = pam`
Fix CRL distriution points and add authority information access extensions 2016-03-29 09:29:15 +00:00			`;backends = kerberos`
			`;backends = ldap`
			`;backends = kerberos ldap`
			`;backends = kerberos pam`
Refactor LDAP authentication * ldap uri can be specified in /etc/certidude/server.conf now * /etc/ldap/ldap.conf is ignored 2017-01-25 09:43:19 +00:00			`ldap uri = ldaps://dc1.example.com`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00
			`[accounts]`
Fix CRL distriution points and add authority information access extensions 2016-03-29 09:29:15 +00:00			`# The accounts backend specifies how the user's given name, surname and e-mail`
			`# address are looked up. In case of 'posix' basically 'getent passwd' is performed,`
Refactor LDAP authentication * ldap uri can be specified in /etc/certidude/server.conf now * /etc/ldap/ldap.conf is ignored 2017-01-25 09:43:19 +00:00			`# in case of 'ldap' a search is performed on LDAP server specified by ldap uri`
Refactor codebase * Replace PyOpenSSL with cryptography.io * Rename constants to const * Drop support for uwsgi * Use systemd to launch certidude server * Signer automatically spawned as part of server * Update requirements.txt * Clean up certidude client configuration handling * Add automatic enroll with Kerberos machine cerdentials 2016-09-17 21:00:14 +00:00			`# with Kerberos credential cache initialized at path specified by environment variable KRB5CCNAME`
Fixes for LDAP access using machine credentials 2017-01-20 10:56:46 +00:00			`# If certidude setup authority was performed correctly the credential cache should be`
			`# updated automatically by /etc/cron.hourly/certidude`
Fix CRL distriution points and add authority information access extensions 2016-03-29 09:29:15 +00:00
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`backend = posix`
Fix CRL distriution points and add authority information access extensions 2016-03-29 09:29:15 +00:00			`;backend = ldap`
Fixes for LDAP access using machine credentials 2017-01-20 10:56:46 +00:00			`ldap gssapi credential cache = /run/certidude/krb5cc`
Refactor LDAP authentication * ldap uri can be specified in /etc/certidude/server.conf now * /etc/ldap/ldap.conf is ignored 2017-01-25 09:43:19 +00:00			`ldap uri = ldap://dc1.example.com`
			`ldap base = {% if base %}{{ base }}{% else %}dc=example,dc=com{% endif %}`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00			`[authorization]`
Fix CRL distriution points and add authority information access extensions 2016-03-29 09:29:15 +00:00			`# The authorization backend specifies how the users are authorized.`
			`# In case of 'posix' simply group membership is asserted,`
			`# in case of 'ldap' search filter with username as placeholder is applied.`

Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`backend = posix`
Documentation fixes and attempt to fix Travis 2016-03-27 21:00:41 +00:00			`posix user group = users`
			`posix admin group = sudo`
Fix CRL distriution points and add authority information access extensions 2016-03-29 09:29:15 +00:00
			`;backend = ldap`
			`ldap computer filter = (&(objectclass=user)(objectclass=computer)(samaccountname=%s))`
Add 'certidude users' command for listing user accounts 2016-03-31 21:01:58 +00:00			`ldap user filter = (&(objectclass=user)(objectcategory=person)(samaccountname=%s))`
Merge authority setup and production setup 2016-03-29 19:03:27 +00:00			`ldap admin filter = (&(memberOf=cn=Domain Admins,cn=Users,{% if base %}{{ base }}{% else %}dc=example,dc=com{% endif %})(samaccountname=%s))`
Fix CRL distriution points and add authority information access extensions 2016-03-29 09:29:15 +00:00
			`# Users are allowed to log in from user subnets`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`user subnets = 0.0.0.0/0`
Fix CRL distriution points and add authority information access extensions 2016-03-29 09:29:15 +00:00
			`# Authority administrators are allowed to sign and revoke certificates from these subnets`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`admin subnets = 0.0.0.0/0`
Fix CRL distriution points and add authority information access extensions 2016-03-29 09:29:15 +00:00
			`# Certificate signing requests are allowed to be submitted from these subnets`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`request subnets = 0.0.0.0/0`
Fix CRL distriution points and add authority information access extensions 2016-03-29 09:29:15 +00:00
			`# Certificates are automatically signed for these subnets`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`autosign subnets = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16`

			`[logging]`
Refactor * Remove given name and surname attributes because of issues with OpenVPN Connect * Remove e-mail attribute because of no reliable method of deriving usable address * Remove organizational unit attribute * Don't overwrite Kerberos cronjob during certidude setup authority * Enforce path_length=0 for disabling intermediate CA-s * Remove SAN attributes * Add configuration options for outbox sender name and address * Use common name attribute to derive signature flags * Use distinct pub/sub URL-s for long poll and event source 2017-02-07 22:07:21 +00:00			`backend =`

			`;backend = sql`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`database = sqlite://{{ directory }}/db.sqlite`

			`[tagging]`
Refactor * Remove given name and surname attributes because of issues with OpenVPN Connect * Remove e-mail attribute because of no reliable method of deriving usable address * Remove organizational unit attribute * Don't overwrite Kerberos cronjob during certidude setup authority * Enforce path_length=0 for disabling intermediate CA-s * Remove SAN attributes * Add configuration options for outbox sender name and address * Use common name attribute to derive signature flags * Use distinct pub/sub URL-s for long poll and event source 2017-02-07 22:07:21 +00:00			`backend =`

			`;backend = sql`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`database = sqlite://{{ directory }}/db.sqlite`

Add openvpn-status.log support 2017-01-26 21:59:12 +00:00			`[leases]`
			`backend =`

			`;backend = sql`
Refactor * Remove given name and surname attributes because of issues with OpenVPN Connect * Remove e-mail attribute because of no reliable method of deriving usable address * Remove organizational unit attribute * Don't overwrite Kerberos cronjob during certidude setup authority * Enforce path_length=0 for disabling intermediate CA-s * Remove SAN attributes * Add configuration options for outbox sender name and address * Use common name attribute to derive signature flags * Use distinct pub/sub URL-s for long poll and event source 2017-02-07 22:07:21 +00:00			`schema = strongswan`
			`database = sqlite://{{ directory }}/db.sqlite`
Add openvpn-status.log support 2017-01-26 21:59:12 +00:00
			`# Following was used on an OpenWrt router`
			`# uci set openvpn.s2c.status=/www/status.log`
			`# uci commit; touch /www/status.log; chmod 755 /www/status.log`
			`;backend = openvpn-status`
			`;openvpn status uri = /var/log/openvpn-status.log`
			`openvpn status uri = http://router.example.com/status.log`
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00
			`[signature]`
cli: Fix authority setup script 2016-03-29 15:37:28 +00:00			`certificate lifetime = {{ certificate_lifetime }}`
			`revocation list lifetime = {{ revocation_list_lifetime }}`
Fix CRL distriution points and add authority information access extensions 2016-03-29 09:29:15 +00:00			`certificate url = {{ certificate_url }}`
			`revoked url = {{ revoked_url }}`
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00
			`[push]`
Refactor * Remove given name and surname attributes because of issues with OpenVPN Connect * Remove e-mail attribute because of no reliable method of deriving usable address * Remove organizational unit attribute * Don't overwrite Kerberos cronjob during certidude setup authority * Enforce path_length=0 for disabling intermediate CA-s * Remove SAN attributes * Add configuration options for outbox sender name and address * Use common name attribute to derive signature flags * Use distinct pub/sub URL-s for long poll and event source 2017-02-07 22:07:21 +00:00			`event source token = {{ push_token }}`
			`event source subscribe = {{ push_server }}/ev/sub/%s`
			`event source publish = {{ push_server }}/ev/pub/%s`
			`long poll subscribe = {{ push_server }}/lp/sub/%s`
			`long poll publish = {{ push_server }}/lp/pub/%s`
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00
			`[authority]`
Make user certificate enrollment configurable 2016-03-31 22:55:51 +00:00			`# User certificate enrollment specifies whether logged in users are allowed to`
			`# request bundles. In case of 'single allowed' the common name of the`
			`# certificate is set to username, this should work well with REMOTE_USER`
			`# enabled web apps running behind Apache/nginx.`
			`# In case of 'multiple allowed' the common name is set to username@device-identifier.`
			`;user certificate enrollment = forbidden`
			`;user certificate enrollment = single allowed`
			`user certificate enrollment = multiple allowed`

Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`private key path = {{ ca_key }}`
			`certificate path = {{ ca_crt }}`
Fix CRL distriution points and add authority information access extensions 2016-03-29 09:29:15 +00:00
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`requests dir = {{ directory }}/requests/`
			`signed dir = {{ directory }}/signed/`
			`revoked dir = {{ directory }}/revoked/`
Fix CRL distriution points and add authority information access extensions 2016-03-29 09:29:15 +00:00			`expired dir = {{ directory }}/expired/`
Refactor * Remove given name and surname attributes because of issues with OpenVPN Connect * Remove e-mail attribute because of no reliable method of deriving usable address * Remove organizational unit attribute * Don't overwrite Kerberos cronjob during certidude setup authority * Enforce path_length=0 for disabling intermediate CA-s * Remove SAN attributes * Add configuration options for outbox sender name and address * Use common name attribute to derive signature flags * Use distinct pub/sub URL-s for long poll and event source 2017-02-07 22:07:21 +00:00
			`outbox uri = {{ outbox }}`
			`outbox sender name = Certificate management`
			`outbox sender address = certificates@example.com`
cli: Fix authority setup script 2016-03-29 15:37:28 +00:00
Add OpenVPN bundle generation 2017-01-25 11:34:08 +00:00			`bundle format = p12`
			`;bundle format = ovpn`

			`openvpn bundle template = /etc/certidude/template.ovpn`