Skip to main content

No project description provided

Project description

CSR Proxy

CSR Proxy is a simple service to sign the clients' CSR via the ACME server.

PyPi version Python Versions License Build Sponsors Ruff

Documentation: https://docs.gufolabs.com/csr_proxy/

Source Code: https://github.com/gufolabs/csr_proxy/


The self-signed certificates are no longer sufficient, posing challenges in distributing trial and evaluation versions of software with web interfaces. To address this, software publishers typically consider the following options:

  1. Delegate Certificate Signing to the User:

    • Pros: Gives control to advanced users.
    • Cons: Requires user knowledge of PKI, complex infrastructure, or additional expenses.
  2. Generate Self-Signed Certificate with mkcert:

    • Pros: Suitable for developers.
    • Cons: Compromises system security, demands browser reloading, and adds complexity.
  3. Order a Certificate from Global CA:

    • Pros: Secure, but expensive.
    • Cons: Violates TLS security principles by exposing the private key.
  4. Use localhost.direct Certificate or Similar Services:

    • Pros: Similar to the previous approach.
    • Cons: Public exposure of the public key.
  5. Order Separate Certificates for Each User:

    • Pros: Secure but time-consuming and costly.
    • Cons: Mutual trust issue; the publisher generates and knows the client's private key.
  6. Generate Client's Key and Certificate via ACME Server:

    • Pros: Less expensive.
    • Cons: Mutual trust issue persists; the publisher generates and knows the client's private key.
  7. Negotiate with ACME Server from Client's Site:

    • Pros: Reliable, but requires additional infrastructure setup.
    • Cons: Suitable for advanced users, not the default choice.

Considering the need for mutual trust and simplicity in software evaluation, the publisher should generate a private certificate on the user's side without touching it. The published also needs to maintain all necessary infrastructure for the certificate signing. Enter the CSR Proxy.

CSR Proxy Overview

The CSR Proxy is a straightforward service executed on the publisher's side. It:

  • Receives the Certificate Signing Request (CSR) from the client.
  • Proxies the CSR to the ACME server for signing.
  • Handles ACME challenge fulfillment, shielding the end user from complexity.

The sequence diagram is shown below. The primal parties are:

  • Client: An entity demanding the certificate signing.

  • CSR Proxy: The certificate signing service, consists of two parts:

    • API: The client-facing API, performing ACME interaction on behalf of the client. Also performs DNS provisioning.
    • DNS: PowerDNS service, providing a provisioning interface to API and serving DNS requests.
  • ACME: Any RFC-8555 compatible ACME server, like Let's Encrypt.

sequenceDiagram
    participant Client
    box CSR Proxy
    participant API
    participant DNS
    end
    participant ACME
    Client->>Client: Generate private RSA key
    Client->>Client: Create CSR
    Client->>API: CSR sign request
    activate API
    API->>ACME: New order
    activate ACME
    ACME->>API: Order authorization
    deactivate ACME
    API->>ACME: Get challenges
    activate ACME
    ACME->>API: Challenges
    deactivate ACME
    API->>DNS: Put _acme-challenges RR
    activate DNS
    DNS->>API: RR is ready
    deactivate DNS
    API->>ACME: Respond dns-01 challenge
    activate ACME
    ACME->>API: Status
    ACME->>DNS: Query _acme-challenge RR
    activate DNS
    DNS->>ACME: _acme-challenge RR
    deactivate DNS
    API->>ACME: Check autorization
    ACME->>API: Authorization status
    API->>ACME: Finalize
    ACME->>API: Order status    
    deactivate ACME
    API->>Client: Signed certificate
    deactivate API    

On Gufo Stack

This product is a part of Gufo Stack - the collaborative effort led by Gufo Labs. Our goal is to create a robust and flexible set of tools to create network management software and automate routine administration tasks.

To do this, we extract the key technologies that have proven themselves in the NOC and bring them as separate packages. Then we work on API, performance tuning, documentation, and testing. The NOC uses the final result as the external dependencies.

Gufo Stack makes the NOC better, and this is our primary task. But other products can benefit from Gufo Stack too. So we believe that our effort will make the other network management products better.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

csr_proxy-0.1.0.tar.gz (15.2 kB view details)

Uploaded Source

Built Distribution

csr_proxy-0.1.0-py3-none-any.whl (10.2 kB view details)

Uploaded Python 3

File details

Details for the file csr_proxy-0.1.0.tar.gz.

File metadata

  • Download URL: csr_proxy-0.1.0.tar.gz
  • Upload date:
  • Size: 15.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.11.6

File hashes

Hashes for csr_proxy-0.1.0.tar.gz
Algorithm Hash digest
SHA256 de21a3efad6e28e07e34e9efb4317fc45af3d737739cd1ba95a24c93ac70c330
MD5 ece536c4ece44fa8850e93d38e3a2c4c
BLAKE2b-256 67128abad6f0564354eb35552960e5da0db07805fb6106f949dce5d6d096d71f

See more details on using hashes here.

File details

Details for the file csr_proxy-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: csr_proxy-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 10.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.11.6

File hashes

Hashes for csr_proxy-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b487f46f610b91dfd6dad10c330653a1b03585e1a17b8399df11da762118b4e2
MD5 6cf78819a911e88a44ca26bcc3b7a5c0
BLAKE2b-256 e854f0e8e4a619511adfdc7b6c78ae8d07b15242f859dc0007187e99a6bb58e1

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page