mirror of
https://github.com/laurivosandi/certidude
synced 2025-09-08 14:30:57 +00:00
Major refactor
* Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets
This commit is contained in:
69
README.rst
69
README.rst
@@ -68,10 +68,11 @@ Common:
|
||||
* Server-side events support via `nchan <https://nchan.slact.net/>`_.
|
||||
* E-mail notifications about pending, signed, revoked, renewed and overwritten certificates.
|
||||
* Built using compilation-free `oscrypto <https://github.com/wbond/oscrypto>`_ library.
|
||||
* Object tagging, attach metadata to certificates using extended filesystem attributes.
|
||||
|
||||
Virtual private networking:
|
||||
|
||||
* Send OpenVPN profile URL tokens via e-mail, for simplified VPN adoption on Android, iOS, Windows, Mac OS X and Ubuntu.
|
||||
* Send VPN profile URL tokens via e-mail, for simplified VPN adoption on Android, iOS, Windows, Mac OS X and Ubuntu.
|
||||
* OpenVPN gateway and roadwarrior integration, check out ``certidude setup openvpn server`` and ``certidude setup openvpn client``.
|
||||
* StrongSwan gateway and roadwarrior integration, check out ``certidude setup strongswan server`` and ``certidude setup strongswan client``.
|
||||
* NetworkManager integration for Ubuntu and Fedora, check out ``certidude setup openvpn networkmanager`` and ``certidude setup strongswan networkmanager``.
|
||||
@@ -82,12 +83,6 @@ HTTPS:
|
||||
* HTTPS server setup with client verification, check out ``certidude setup nginx``
|
||||
|
||||
|
||||
TODO
|
||||
----
|
||||
|
||||
* Use `pki.js <https://pkijs.org/>`_ for generating keypair in the browser when claiming a token.
|
||||
|
||||
|
||||
Install
|
||||
-------
|
||||
|
||||
@@ -98,13 +93,12 @@ System dependencies for Ubuntu 16.04:
|
||||
|
||||
.. code:: bash
|
||||
|
||||
apt install -y
|
||||
python-click python-configparser \
|
||||
python-humanize \
|
||||
python-ipaddress python-jinja2 python-ldap python-markdown \
|
||||
python-mimeparse python-mysql.connector python-openssl python-pip \
|
||||
python-pyasn1 python-pysqlite2 python-requests \
|
||||
python-setproctitle python-xattr
|
||||
apt install -y \
|
||||
python3-click \
|
||||
python3-jinja2 python3-markdown \
|
||||
python3-pip \
|
||||
python3-mysql.connector python3-requests \
|
||||
python3-pyxattr
|
||||
|
||||
System dependencies for Fedora 25+:
|
||||
|
||||
@@ -153,6 +147,13 @@ and start the services:
|
||||
|
||||
systemctl restart certidude
|
||||
|
||||
Certidude will submit e-mail notifications to locally running MTA.
|
||||
Install Postfix and configure it as Satellite system:
|
||||
|
||||
.. code:: bash
|
||||
|
||||
apt install postfix
|
||||
|
||||
|
||||
Setting up PAM authentication
|
||||
-----------------------------
|
||||
@@ -171,7 +172,7 @@ Python modules:
|
||||
|
||||
.. code:: bash
|
||||
|
||||
pip install simplepam
|
||||
pip3 install simplepam
|
||||
|
||||
The default configuration generated by ``certidude setup`` should make use of the
|
||||
PAM.
|
||||
@@ -247,17 +248,7 @@ Setting up services
|
||||
|
||||
Set up services as usual (OpenVPN, Strongswan, etc), when setting up certificates
|
||||
generate signing request with TLS server flag set.
|
||||
Paste signing request into the Certidude web interface and hit the submit button.
|
||||
|
||||
Since signing requests with custom flags are not allowed to be signed
|
||||
from the interface due to security concerns, sign the certificate at Certidude command line:
|
||||
|
||||
.. code:: bash
|
||||
|
||||
certidude sign gateway.example.com
|
||||
|
||||
Download signed certificate from the web interface or ``wget`` it into the service machine.
|
||||
Fetch also CA certificate and finish configuring the service.
|
||||
See Certidude admin interface how to submit CSR-s and retrieve signed certificates.
|
||||
|
||||
|
||||
Setting up clients
|
||||
@@ -319,35 +310,19 @@ Install dependencies as shown above and additionally:
|
||||
|
||||
.. code:: bash
|
||||
|
||||
pip install -r requirements.txt
|
||||
pip3 install -r requirements.txt
|
||||
|
||||
To generate templates:
|
||||
To install the package from the source tree:
|
||||
|
||||
.. code:: bash
|
||||
|
||||
apt install npm nodejs
|
||||
sudo ln -s nodejs /usr/bin/node # Fix 'env node' on Ubuntu 14.04
|
||||
npm install -g nunjucks@2.5.2
|
||||
nunjucks-precompile --include "\\.html$" --include "\\.svg$" certidude/static/ > certidude/static/js/templates.js
|
||||
cp /usr/local/lib/node_modules/nunjucks/browser/*.js certidude/static/js/
|
||||
|
||||
To run from source tree:
|
||||
|
||||
.. code:: bash
|
||||
|
||||
PYTHONPATH=. KRB5CCNAME=/run/certidude/krb5cc KRB5_KTNAME=/etc/certidude/server.keytab LANG=C.UTF-8 python misc/certidude
|
||||
|
||||
To install the package from the source:
|
||||
|
||||
.. code:: bash
|
||||
|
||||
pip install -e .
|
||||
pip3 install -e .
|
||||
|
||||
To run tests and measure code coverage grab a clean VM or container:
|
||||
|
||||
.. code:: bash
|
||||
|
||||
pip install codecov pytest-cov
|
||||
pip3 install codecov pytest-cov
|
||||
rm .coverage*
|
||||
TRAVIS=1 coverage run --parallel-mode --source certidude -m py.test tests
|
||||
coverage combine
|
||||
@@ -357,7 +332,7 @@ To uninstall:
|
||||
|
||||
.. code:: bash
|
||||
|
||||
pip uninstall certidude
|
||||
pip3 uninstall certidude
|
||||
|
||||
|
||||
Certificate attributes
|
||||
|
||||
Reference in New Issue
Block a user