Certidude is a novel X.509 Certificate Authority management tool aiming to support PKCS#11 and in far future WebCrypto.
Project description
Introduction
Certidude is a novel X.509 Certificate Authority management tool with privilege isolation mechanism aiming to eventually support PKCS#11 and in far future WebCrypto.
Features
Standard request, sign, revoke workflow via web interface.
Colored command-line interface, check out butterknife list
OpenVPN integration, check out butterknife setup openvpn server and butterknife setup openvpn client
Privilege isolation, separate signer process is spawned per private key isolating private key use from the the web interface.
Certificate numbering obfuscation, certificate serial numbers are intentionally randomized to avoid leaking information about business practices.
Server-side events support via for example nginx-push-stream-module
TODO
Refactor mailing subsystem and server-side events to use hooks.
Notifications via e-mail.
strongSwan setup integration.
OCSP support.
Deep mailbox integration, eg fetch CSR-s from mailbox via IMAP.
WebCrypto support, meanwhile check out hwcrypto.js.
Certificate push/pull, making it possible to sign offline.
PKCS#11 hardware token support for signatures at command-line.
Install
To install Certidude:
apt-get install python3 python3-dev build-essential
pip3 install certidude
Setting up CA
Certidude can set up CA relatively easily:
certidude setup authority /path/to/directory
Tweak command-line options until you meet your requirements and then insert generated section to your /etc/ssl/openssl.cnf
Finally serve the certificate authority via web:
certidude serve
Certificate management
Use following command to request a certificate on a machine:
certidude setup client http://certidude-hostname-or-ip:perhaps-port/api/ca-name/
Use following to list signing requests, certificates and revoked certificates:
certidude list
Use web interface or following to sign a certificate on Certidude server:
certidude sign client-hostname-or-common-name
Streaming push support
We support nginx-push-stream-module, configure it as follows to enable real-time responses to events:
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
push_stream_shared_memory_size 32M;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name localhost;
location ~ /event/publish/(.*) {
allow 127.0.0.1; # Allow publishing only from this IP address
push_stream_publisher admin;
push_stream_channels_path $1;
}
location ~ /event/subscribe/(.*) {
push_stream_channels_path $1;
push_stream_subscriber long-polling;
}
location /api/ {
proxy_pass http://127.0.0.1:9090/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
}
For butterknife serve export environment variables:
export CERTIDUDE_EVENT_PUBLISH = "http://localhost/event/publish/%s"
export CERTIDUDE_EVENT_SUBSCRIBE = "http://localhost/event/subscribe/%s"
certidude server -p 9090
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.