2015-07-12 19:22:10 +00:00
Certidude
=========
2015-10-08 11:23:33 +00:00
.. image :: https://travis-ci.org/laurivosandi/certidude.svg?branch=master
:target: https://travis-ci.org/laurivosandi/certidude
.. image :: http://codecov.io/github/laurivosandi/certidude/coverage.svg?branch=master
:target: http://codecov.io/github/laurivosandi/certidude?branch=master
2015-07-26 20:34:46 +00:00
Introduction
------------
Certidude is a novel X.509 Certificate Authority management tool
2015-08-16 15:09:06 +00:00
with privilege isolation mechanism and Kerberos authentication aiming to
2015-07-26 20:34:46 +00:00
eventually support PKCS#11 and in far future WebCrypto.
2015-08-16 15:09:06 +00:00
.. figure :: doc/usecase-diagram.png
2015-07-26 20:34:46 +00:00
2015-08-22 20:19:30 +00:00
Certidude is mainly designed for VPN gateway operators to make VPN adoption usage
as simple as possible.
For a full-blown CA you might want to take a look at
`EJBCA <http://www.ejbca.org/features.html> `_ or
`OpenCA <https://pki.openca.org/> `_ .
2015-07-26 20:34:46 +00:00
Features
--------
* Standard request, sign, revoke workflow via web interface.
2015-08-13 08:11:08 +00:00
* Colored command-line interface, check out `` certidude list `` .
* OpenVPN integration, check out `` certidude setup openvpn server `` and `` certidude setup openvpn client `` .
* strongSwan integration, check out `` certidude setup strongswan server `` and `` certidude setup strongswan client `` .
2015-07-26 20:34:46 +00:00
* Privilege isolation, separate signer process is spawned per private key isolating
private key use from the the web interface.
* Certificate numbering obfuscation, certificate serial numbers are intentionally
randomized to avoid leaking information about business practices.
2015-08-13 08:11:08 +00:00
* Server-side events support via for example nginx-push-stream-module.
2015-08-22 20:19:30 +00:00
* Kerberos based web interface authentication.
* File based whitelist authorization, easy to integrate with LDAP as shown below.
2015-07-26 20:34:46 +00:00
2015-08-22 20:19:30 +00:00
Coming soon
-----------
2015-07-26 20:34:46 +00:00
* Refactor mailing subsystem and server-side events to use hooks.
* Notifications via e-mail.
2015-08-22 20:19:30 +00:00
TODO
----
* `OCSP <https://tools.ietf.org/html/rfc4557> `_ support, needs a bit hacking since OpenSSL wrappers are not exposing the functionality.
* `SECP <https://tools.ietf.org/html/draft-nourse-scep-23> `_ support, a client implementation available `here <https://github.com/certnanny/sscep> `_ . Not sure if we can implement server-side events within current standard.
2015-07-26 20:34:46 +00:00
* Deep mailbox integration, eg fetch CSR-s from mailbox via IMAP.
* WebCrypto support, meanwhile check out `hwcrypto.js <https://github.com/open-eid/hwcrypto.js> `_ .
* Certificate push/pull, making it possible to sign offline.
* PKCS#11 hardware token support for signatures at command-line.
2015-08-22 20:19:30 +00:00
* Ability to send `` .ovpn `` bundle URL tokens via e-mail, for simplified VPN adoption.
* Cronjob for deleting expired certificates
* Signer process logging.
2015-07-12 19:22:10 +00:00
Install
-------
To install Certidude:
.. code :: bash
2015-12-13 15:11:22 +00:00
apt-get install -y python3 python3-pip python3-dev cython3 build-essential libffi-dev libssl-dev libkrb5-dev
pip3 install --allow-external mysql-connector-python mysql-connector-python
2015-07-12 19:22:10 +00:00
pip3 install certidude
2015-08-13 08:11:08 +00:00
2015-08-16 14:21:42 +00:00
Make sure you're running PyOpenSSL 0.15+ and netifaces 0.10.4+ from PyPI,
not the outdated ones provided by APT.
2015-08-13 08:11:08 +00:00
Create a system user for `` certidude `` :
2015-07-27 12:30:50 +00:00
.. code :: bash
2015-08-13 08:11:08 +00:00
adduser --system --no-create-home --group certidude
2015-07-27 12:30:50 +00:00
2015-07-12 19:22:10 +00:00
Setting up CA
--------------
2015-11-15 14:55:26 +00:00
First make sure the machine used for CA has fully qualified
domain name set up properly.
You can check it with:
2015-12-12 22:34:08 +00:00
.. code :: bash
2015-11-15 14:55:26 +00:00
hostname -f
The command should return ca.example.co
Certidude can set up CA relatively easily, following will set up
2016-01-10 17:51:54 +00:00
CA in /var/lib/certidude/hostname.domain.tld:
2015-07-12 19:22:10 +00:00
.. code :: bash
2015-11-15 14:55:26 +00:00
certidude setup authority
2015-07-12 19:22:10 +00:00
2016-01-10 17:51:54 +00:00
Tweak the configuration in /etc/certidude/server.conf until you meet your requirements and
spawn the signer process:
2015-08-13 08:11:08 +00:00
.. code :: bash
2016-01-15 09:18:27 +00:00
certidude signer spawn
2015-08-13 08:11:08 +00:00
2015-07-12 19:22:10 +00:00
Finally serve the certificate authority via web:
.. code :: bash
certidude serve
2015-07-26 20:34:46 +00:00
Certificate management
----------------------
Use following command to request a certificate on a machine:
.. code ::
2015-11-15 14:55:26 +00:00
certidude setup client ca.example.com
2015-07-26 20:34:46 +00:00
2016-01-10 17:51:54 +00:00
Use following to list signing requests, certificates and revoked certificates on server:
2015-07-26 20:34:46 +00:00
.. code ::
certidude list
2016-01-10 17:51:54 +00:00
Use web interface or following to sign a certificate on server:
2015-07-26 20:34:46 +00:00
.. code ::
certidude sign client-hostname-or-common-name
2015-07-27 12:30:50 +00:00
Production deployment
---------------------
2015-08-16 15:09:06 +00:00
Install `` nginx `` and `` uwsgi `` :
2015-07-27 12:30:50 +00:00
.. code :: bash
2015-08-16 14:21:42 +00:00
apt-get install nginx uwsgi uwsgi-plugin-python3
2015-07-27 12:30:50 +00:00
2015-08-16 15:09:06 +00:00
For easy setup following is reccommended:
2015-08-13 08:11:08 +00:00
.. code :: bash
certidude setup production
2015-08-16 15:09:06 +00:00
Otherwise manually configure `` uwsgi `` application in `` /etc/uwsgi/apps-available/certidude.ini `` :
2015-07-27 12:30:50 +00:00
.. code :: ini
[uwsgi]
master = true
processes = 1
vaccum = true
uid = certidude
gid = certidude
plugins = python34
chdir = /tmp
module = certidude.wsgi
callable = app
chmod-socket = 660
chown-socket = certidude:www-data
2015-08-16 15:09:06 +00:00
buffer-size = 32768
env = LANG=C.UTF-8
env = LC_ALL=C.UTF-8
2016-01-10 17:51:54 +00:00
env = KRB5_KTNAME=/etc/certidude/server.keytab
2015-07-27 12:30:50 +00:00
Also enable the application:
.. code :: bash
ln -s ../apps-available/certidude.ini /etc/uwsgi/apps-enabled/certidude.ini
2015-07-26 20:34:46 +00:00
We support `nginx-push-stream-module <https://github.com/wandenberg/nginx-push-stream-module> `_ ,
2015-12-23 14:48:31 +00:00
configure the site in /etc/nginx/sites-available/certidude:
2015-07-27 12:30:50 +00:00
.. code ::
upstream certidude_api {
2016-01-01 23:05:48 +00:00
server unix:///run/uwsgi/app/certidude/socket;
2015-07-27 12:30:50 +00:00
}
server {
server_name localhost;
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
2015-12-23 14:48:31 +00:00
root /usr/local/lib/python3.4/dist-packages/certidude/static;
2015-07-27 12:30:50 +00:00
2015-12-23 14:48:31 +00:00
location /api/ {
include uwsgi_params;
uwsgi_pass certidude_api;
}
# Add following three if you wish to enable push server on this machine
2015-11-15 14:55:26 +00:00
location /pub {
allow 127.0.0.1; # Allow publishing only from CA machine
2015-07-27 12:30:50 +00:00
push_stream_publisher admin;
2015-11-15 14:55:26 +00:00
push_stream_channels_path $arg_id;
2015-07-27 12:30:50 +00:00
}
2015-11-15 14:55:26 +00:00
location ~ "^/lp/(.*)" {
2015-07-27 12:30:50 +00:00
push_stream_channels_path $1;
push_stream_subscriber long-polling;
}
2015-11-15 14:55:26 +00:00
location ~ "^/ev/(.*)" {
push_stream_channels_path $1;
push_stream_subscriber eventsource;
}
2015-07-27 12:30:50 +00:00
}
Enable the site:
.. code :: bash
2015-12-23 14:48:31 +00:00
ln -s ../sites-available/certidude /etc/nginx/sites-enabled/certidude
2015-07-27 12:30:50 +00:00
Also adjust `` /etc/nginx/nginx.conf `` :
2015-07-26 20:34:46 +00:00
.. code ::
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
2015-07-27 15:49:50 +00:00
worker_connections 768;
# multi_accept on;
2015-07-26 20:34:46 +00:00
}
http {
push_stream_shared_memory_size 32M;
2015-07-27 15:49:50 +00:00
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
include /etc/nginx/sites-enabled/*;
2015-07-26 20:34:46 +00:00
}
2015-10-26 20:50:10 +00:00
In your CA ssl.cnf make sure Certidude is aware of your nginx setup:
2015-11-15 14:55:26 +00:00
push_server = http://push.example.com/
2015-10-26 20:50:10 +00:00
2015-07-27 12:30:50 +00:00
Restart the services:
2015-07-26 20:34:46 +00:00
.. code :: bash
2015-07-27 12:30:50 +00:00
service uwsgi restart
service nginx restart
2015-08-16 14:21:42 +00:00
Setting up Kerberos authentication
----------------------------------
Following assumes you have already set up Kerberos infrastructure and
Certidude is simply one of the servers making use of that infrastructure.
Install dependencies:
.. code :: bash
apt-get install samba-common-bin krb5-user ldap-utils
2015-09-01 17:25:20 +00:00
Make sure Certidude machine's fully qualified hostname is correct in `` /etc/hosts `` :
.. code ::
127.0.0.1 localhost
127.0.1.1 ca.example.lan ca
2015-08-16 14:21:42 +00:00
Set up Samba client configuration in `` /etc/samba/smb.conf `` :
.. code :: ini
[global]
security = ads
2015-09-01 17:25:20 +00:00
netbios name = CA
workgroup = EXAMPLE
2015-08-16 14:21:42 +00:00
realm = EXAMPLE.LAN
kerberos method = system keytab
Set up Kerberos keytab for the web service:
.. code :: bash
2016-01-10 17:51:54 +00:00
KRB5_KTNAME=FILE:/etc/certidude/server.keytab net ads keytab add HTTP -U Administrator
2015-08-16 14:21:42 +00:00
Setting up authorization
------------------------
Obviously arbitrary Kerberos authenticated user should not have access to
the CA web interface.
You could either specify user name list
in `` /etc/ssl/openssl.cnf `` :
.. code :: bash
admin_users=alice bob john kate
Or alternatively specify file path:
.. code :: bash
admin_users=/run/certidude/user.whitelist
Use following shell snippets eg in `` /etc/cron.hourly/update-certidude-user-whitelist ``
to generate user whitelist via LDAP:
.. code :: bash
2015-08-16 15:09:06 +00:00
ldapsearch -H ldap://dc1.example.com -s sub -x -LLL \
-D 'cn=certidude,cn=Users,dc=example,dc=com' \
2015-08-16 14:21:42 +00:00
-w 'certidudepass' \
2015-08-16 15:09:06 +00:00
-b 'dc=example,dc=com' \
'(&(objectClass=user)(memberOf=cn=Domain Admins,cn=Users,dc=example,dc=com))' sAMAccountName userPrincipalName givenName sn \
2015-08-16 14:21:42 +00:00
| python3 -c "import ldif3; import sys; [sys.stdout.write('%s:%s:%s:%s\n' % (a.pop('sAMAccountName')[0], a.pop('userPrincipalName')[0], a.pop('givenName')[0], a.pop('sn')[0])) for _, a in ldif3.LDIFParser(sys.stdin.buffer).parse()]" \
> /run/certidude/user.whitelist
Set permissions:
.. code :: bash
chmod 700 /etc/cron.hourly/update-certidude-user-whitelist
2015-10-17 17:42:59 +00:00
Automating certificate setup
----------------------------
Ubuntu 14.04 based desktops come with NetworkManager installed.
Create `` /etc/NetworkManager/dispatcher.d/certidude `` with following content:
.. code :: bash
#!/bin/sh -e
# Set up certificates for IPSec connection
case "$2" in
up)
2015-11-15 14:55:26 +00:00
LANG=C.UTF-8 /usr/local/bin/certidude setup strongswan networkmanager ca.example.com gateway.example.com
2015-10-17 17:42:59 +00:00
;;
esac
Finally make it executable:
.. code :: bash
chmod +x /etc/NetworkManager/dispatcher.d/certidude
Whenever a wired or wireless connection is brought up,
the dispatcher invokes `` certidude `` in order to generate RSA keys,
submit CSR, fetch signed certificate,
create NetworkManager configuration for the VPN connection and
finally to bring up the VPN tunnel as well.
2016-01-25 09:18:19 +00:00
Development
-----------
Clone the repository:
.. code :: bash
git clone https://github.com/laurivosandi/certidude
cd certidude
To generate templates:
.. code :: bash
apt-get install npm nodejs
npm install nunjucks
nunjucks-precompile --include "\\.html$" --include "\\.svg" certidude/static/ > certidude/static/js/templates.js
To run from source tree:
.. code :: bash
PYTHONPATH=. KRB5_KTNAME=/etc/certidude/server.keytab LANG=C.UTF-8 python3 misc/certidude
To install the package from the source:
.. code :: bash
python3 setup.py install --single-version-externally-managed --root /