openstack/anchor
Code Issues Proposed changes
27 Commits 1 Branch 3 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Stanislaw Pitucha 334a446425 Add a test CA generator
2014-04-16 22:02:42 +01:00
CA
Move CA stuff into a dir
2014-03-21 14:04:20 +00:00
certs
Add serial number handling
2014-03-21 14:30:23 +00:00
ephemeral_ca
Add validation of extensions
2014-04-04 18:23:37 +01:00
tools
Add a test CA generator
2014-04-16 22:02:42 +01:00
.gitignore
Ignore the generated files
2014-03-28 10:59:23 +00:00
config.cfg.sample
Add validation of extensions
2014-04-04 18:23:37 +01:00
MANIFEST.in
Include config in source release
2014-03-28 10:59:23 +00:00
README.md
Fix escaping
2014-03-26 18:04:57 +00:00
setup.py
Include config in source release
2014-03-28 10:59:23 +00:00
tox.ini
Add flake8 rules for line length
2014-04-04 18:24:15 +01:00

README.md

Ephemeral CA

This service generates quickly expiring certificates for a given CA. The validity period can be set in the config file with hour resolution.

There are checks done against the certificate inside of the validate() function. Currently some of the checks are: is the domain in CN ending with one of the suffixes allowed n the config file and does the server prefix match the ldap user's team (for example is "nv-..." requested by a member of "Nova_Team".

Installation

This service requires either a python virtual environment and python/ssl/ldap/sasl development system packages, or system python-ldap, python-flask packages.

For virtual environment run:

virtualenv .venv
. .venv/bin/activate
./setup.py develop

The config file should be copied from config.cfg.sample to ephemeral_ca/config.cfg with any details updated.

The service can be run with:

ephemeral_ca_server

To test the service, generate the certificate request and submit it using curl:

openssl req -text -newkey rsa:384 -nodes -out some.name.hpcloud.net.csr
curl http://0:5000/sign -F user=sso_username -F secret=sso_password -F encoding=pem -F 'csr=<some.name.hpcloud.net.csr'
Description
RETIRED - An Ephemeral PKI system that can act as a trust anchor for OpenStack PKI operations
Readme 3.2 MiB