lauri
/
certidude
mirror of https://github.com/laurivosandi/certidude
1
0
Fork 0
Code Issues Activity
Easy to use Certificate Authority web service for OpenVPN, StrongSwan and HTTPS Edit
4 Commits 2 Branches 0 Tags 18 MiB
Python 69.3%
HTML 12%
Shell 9.2%
JavaScript 6.4%
Nginx 1.4%
Other 1.7%
Go to file
Lauri Võsandi 10a329c0fe Added uWSGI support and documentation 2015-07-27 15:30:50 +03:00
certidude Added uWSGI support and documentation 2015-07-27 15:30:50 +03:00
misc Initial commit 2015-07-12 22:22:10 +03:00
.gitignore Initial commit 2015-07-12 22:22:10 +03:00
LICENSE Initial commit 2015-07-12 22:15:19 +03:00
MANIFEST.in Implemented essential functionality 2015-07-26 23:34:46 +03:00
README.rst Added uWSGI support and documentation 2015-07-27 15:30:50 +03:00
setup.py Added uWSGI support and documentation 2015-07-27 15:30:50 +03:00

README.rst 

Certidude
=========

Introduction
------------

Certidude is a novel X.509 Certificate Authority management tool
with privilege isolation mechanism aiming to
eventually support PKCS#11 and in far future WebCrypto.


Features
--------

* Standard request, sign, revoke workflow via web interface.
* Colored command-line interface, check out ``butterknife list``
* OpenVPN integration, check out ``butterknife setup openvpn server`` and ``butterknife setup openvpn client``
* Privilege isolation, separate signer process is spawned per private key isolating
  private key use from the the web interface.
* Certificate numbering obfuscation, certificate serial numbers are intentionally
  randomized to avoid leaking information about business practices.
* Server-side events support via for example nginx-push-stream-module


TODO
----

* Refactor mailing subsystem and server-side events to use hooks.
* Notifications via e-mail.
* strongSwan setup integration.
* OCSP support.
* Deep mailbox integration, eg fetch CSR-s from mailbox via IMAP.
* WebCrypto support, meanwhile check out `hwcrypto.js <https://github.com/open-eid/hwcrypto.js>`_.
* Certificate push/pull, making it possible to sign offline.
* PKCS#11 hardware token support for signatures at command-line.


Install
-------

To install Certidude:

.. code:: bash

    apt-get install python3 python3-dev build-essential
    pip3 install certidude
    
Create a user for ``certidude``:

.. code:: bash

    useradd certidude


Setting up CA
--------------

Certidude can set up CA relatively easily:

.. code:: bash

    certidude setup authority /path/to/directory

Tweak command-line options until you meet your requirements and
then insert generated section to your /etc/ssl/openssl.cnf

Finally serve the certificate authority via web:

.. code:: bash

    certidude serve


Certificate management
----------------------

Use following command to request a certificate on a machine:

.. code::

    certidude setup client http://certidude-hostname-or-ip:perhaps-port/api/ca-name/

Use following to list signing requests, certificates and revoked certificates:

.. code::

    certidude list

Use web interface or following to sign a certificate on Certidude server:

.. code::

    certidude sign client-hostname-or-common-name


Production deployment
---------------------

Unstall uWSGI:

.. code:: bash

    apt-get install uwsgi uwsgi-plugin-python3

Configure uUWSGI application in ``/etc/uwsgi/apps-available/certidude.ini``:

.. code:: ini

    [uwsgi]
    master = true
    processes = 1
    vaccum = true
    uid = certidude
    gid = certidude
    plugins = python34
    pidfile = /run/certidude/api/uwsgi.pid
    socket = /run/certidude/api/uwsgi.sock
    chdir = /tmp
    module = certidude.wsgi
    callable = app
    chmod-socket = 660
    chown-socket = certidude:www-data
    env = CERTIDUDE_EVENT_PUBLISH=http://localhost/event/publish/%s
    env = CERTIDUDE_EVENT_SUBSCRIBE=http://localhost/event/subscribe/%s

Also enable the application:

.. code:: bash

    ln -s ../apps-available/certidude.ini /etc/uwsgi/apps-enabled/certidude.ini

We support `nginx-push-stream-module <https://github.com/wandenberg/nginx-push-stream-module>`_,
configure the site in /etc/nginx/sites-available.d/certidude:

.. code::

    upstream certidude_api {
        server unix:///run/uwsgi/app/certidude/socket;
    }

    server {
        server_name localhost;
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        location ~ /event/publish/(.*) {
            allow 127.0.0.1; # Allow publishing only from this IP address
            push_stream_publisher admin;
            push_stream_channels_path $1;
        }

        location ~ /event/subscribe/(.*) {
            push_stream_channels_path $1;
            push_stream_subscriber long-polling;
        }

        location / {
            include uwsgi_params;
            uwsgi_pass certidude_api;
        }
    }

Enable the site:

.. code:: bash

    ln -s ../sites-available.d/certidude.ini /etc/nginx/sites-enabled.d/certidude

Also adjust ``/etc/nginx/nginx.conf``:

.. code::

    user www-data;
    worker_processes 4;
    pid /run/nginx.pid;

    events {
	    worker_connections 768;
	    # multi_accept on;
    }

    http {
        push_stream_shared_memory_size 32M;
	    sendfile on;
	    tcp_nopush on;
	    tcp_nodelay on;
	    keepalive_timeout 65;
	    types_hash_max_size 2048;
	    include /etc/nginx/mime.types;
	    default_type application/octet-stream;
	    access_log /var/log/nginx/access.log;
	    error_log /var/log/nginx/error.log;
	    gzip on;
	    gzip_disable "msie6";
        include /etc/nginx/sites-enabled.d/*;
    }

Restart the services:

.. code:: bash

    service uwsgi restart
    service nginx restart