Skip to main content

A short-lived certificate tool based on the Zero Trust network mode

Project description

mTLS Server

Build Status Drone (cloud) Known Vulnerabilities Coverage Status PyPI PyPI - License Matrix

A mutual TLS (mTLS) system for authenticating users to services that need to be on the internet, but should only be accessible to users that specifically need it. This should be used as a initial security measure on top of normal login to handle multi-factor authentication.

This server contains an API for converting Certificate Signing Requests (CSRs) into client certificates. The user database is PGPs trust database to verify detached signatures of the underlying CSR and generats a new client certificate. This client certificate will have a default lifetime of 18 hours, but can be configured to have a longer time to live (TTL). Admin calls are authenticated against a secondary PGP trust database of signed requests for managing the Certificate Revocation List (CRL).

This project is based on the whitepapers for Beyond Corp, which is Googles Zero Trust Security Model.

Background

What is Mutual TLS?

Mutual TLS is a sub-category of Mutual Authentication, where the client and server, or server and server are verifying the identity of one another to ensure that both parties should be allowed to access the requested information.

What is this Good For?

Creating services that inheritely trust no one unless specifically authorized. This provides the basis for a zero trust, multi-factor authentication scheme while also timeboxing access to the requested service in case of compromise or loss of access keys.

Configuration

ENV

Parameter Description Default
CONFIG_PATH The path to the config file config.ini
PROTOCOL The protocol the server runs as http
FQDN The Fully Qualified Domain Name localhost
CA_KEY_PASSWORD The password for the CA Key
SEED_ON_INIT Seed gpg trust store on init 1

config.ini

Section Field Description
mtls min_lifetime Minimum lifetime of a Client Certificate in seconds.
mtls max_lifetime Maximum lifetime of a Client Certificate in seconds. 0 means this is disabled
ca key The path to the CA key
ca cert The path to the CA Certificate
ca alternate_name Alternate DNS name that can be comma separated for multiples
gnupg user Path to the user GNUPGHOME
gnupg admin Path to the admin GNUPGHOME
storage engine The engine type for storage: sqlite3 or postgres
storage.sqlite3 db_path Path to the sqlite3 database file
storage.postgres database Database name
storage.postgres user Database user
storage.postgres password Database password
storage.postgres host Database host

Production

Running From Source

  1. Download the package

    git clone https://github.com/drGrove/mtls-server
    
  2. Install Packages

    make setup
    
  3. Run the server (This requires docker)

    make run-prod
    

Development

Dependencies

  • make
  • pipenv
  • docker

Getting Started

  1. Install the git hooks, generate base secrets for testing and install dependencies

    make setup-dev
    cp config.ini.example config.ini
    
  2. Edit the config to have the issuer name and alternate names your service is creating client certificates for.

  3. Run the service. This will not have some of the final checkers as those are handled in nginx as nginx is the primary test case for this.

    make run
    
  4. Check the final build. This will allow you to test all configurations end to end and ensure that you're able to hit the test endpoint /test/ with your new client certificate. You should be testing this against mtls-client for integration testing. More details on how your system is modified to handle these certificates will be found there.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mtls-server-0.20.0.tar.gz (64.5 kB view details)

Uploaded Source

Built Distribution

mtls_server-0.20.0-py3-none-any.whl (34.3 kB view details)

Uploaded Python 3

File details

Details for the file mtls-server-0.20.0.tar.gz.

File metadata

  • Download URL: mtls-server-0.20.0.tar.gz
  • Upload date:
  • Size: 64.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.6.0 importlib_metadata/4.8.1 pkginfo/1.8.2 requests/2.27.1 requests-toolbelt/0.9.1 tqdm/4.63.0 CPython/3.10.2

File hashes

Hashes for mtls-server-0.20.0.tar.gz
Algorithm Hash digest
SHA256 06eeb79b914cd89809253f3b10d8a7d3df0bc2c1fc406a05455d857eb5280639
MD5 dad6130f0b0ea6ab56d90221ed176142
BLAKE2b-256 36e6eabb5661666e6f8147099b47f2f27fca3582e0a170cdf8f2f7dfdd84ebd5

See more details on using hashes here.

File details

Details for the file mtls_server-0.20.0-py3-none-any.whl.

File metadata

  • Download URL: mtls_server-0.20.0-py3-none-any.whl
  • Upload date:
  • Size: 34.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.6.0 importlib_metadata/4.8.1 pkginfo/1.8.2 requests/2.27.1 requests-toolbelt/0.9.1 tqdm/4.63.0 CPython/3.10.2

File hashes

Hashes for mtls_server-0.20.0-py3-none-any.whl
Algorithm Hash digest
SHA256 37dd5cb8add57f27fac8d4c6622d2578c331e162796a066263cdc1b6ae94cc80
MD5 f4b11f8e120338a2b602aab4b23d7ed9
BLAKE2b-256 36eea32e2321f48fe398a0dfd91bb7eb89df7305b8a47c4089479453fca2df88

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page