Skip to main content

A short-lived certificate tool based on the Zero Trust network mode

Project description

mTLS Server

Build Status Known Vulnerabilities Coverage Status

A mutual TLS (mTLS) system for authenticating users to services that need to be on the internet, but should only be accessible to users that specifically need it. This should be used as a initial security measure on top of normal login to handle multi-factor authentication.

This server contains an API for converting Certificate Signing Requests (CSRs) into client certificates. The user database is PGPs trust database to verify detached signatures of the underlying CSR and generats a new client certificate. This client certificate will have a default lifetime of 18 hours, but can be configured to have a longer time to live (TTL). Admin calls are authenticated against a secondary PGP trust database of signed requests for managing the Certificate Revocation List (CRL).

This project is based on the whitepapers for Beyond Corp, which is Googles Zero Trust Security Model.

Background

What is Mutual TLS?

Mutual TLS is a sub-category of Mutual Authentication, where the client and server, or server and server are verifying the identity of one another to ensure that both parties should be allowed to access the requested information.

What is this Good For?

Creating services that inheritely trust no one unless specifically authorized. This provides the basis for a zero trust, multi-factor authentication scheme while also timeboxing access to the requested service in case of compromise or loss of access keys.

Configuration

ENV

Parameter Description Default
CONFIG_PATH The path to the config file config.ini
PROTOCOL The protocol the server runs as http
FQDN The Fully Qualified Domain Name localhost
CA_KEY_PASSWORD The password for the CA Key
SEED_ON_INIT Seed gpg trust store on init 1

config.ini

Section Field Description
mtls min_lifetime Minimum lifetime of a Client Certificate in seconds.
mtls max_lifetime Maximum lifetime of a Client Certificate in seconds. 0 means this is disabled
ca key The path to the CA key
ca cert The path to the CA Certificate
ca alternate_name Alternate DNS name that can be comma separated for multiples
gnupg user Path to the user GNUPGHOME
gnupg admin Path to the admin GNUPGHOME
storage engine The engine type for storage: sqlite3 or postgres
storage.sqlite3 db_path Path to the sqlite3 database file
storage.postgres database Database name
storage.postgres user Database user
storage.postgres password Database password
storage.postgres host Database host

Production

Running From Source

  1. Download the package

    git clone https://github.com/drGrove/mtls-server
    
  2. Install Packages

    make setup
    
  3. Run the server (This requires docker)

    make run-prod
    

Development

Dependencies

  • make
  • pipenv
  • docker

Getting Started

  1. Install the git hooks, generate base secrets for testing and install dependencies

    make setup-dev
    cp config.ini.example config.ini
    
  2. Edit the config to have the issuer name and alternate names your service is creating client certificates for.

  3. Run the service. This will not have some of the final checkers as those are handled in nginx as nginx is the primary test case for this.

    make run
    
  4. Check the final build. This will allow you to test all configurations end to end and ensure that you're able to hit the test endpoint /test/ with your new client certificate. You should be testing this against mtls-client for integration testing. More details on how your system is modified to handle these certificates will be found there.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mtls-server-0.18.0.tar.gz (53.8 kB view details)

Uploaded Source

Built Distribution

mtls_server-0.18.0-py3-none-any.whl (23.2 kB view details)

Uploaded Python 3

File details

Details for the file mtls-server-0.18.0.tar.gz.

File metadata

  • Download URL: mtls-server-0.18.0.tar.gz
  • Upload date:
  • Size: 53.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.2.0 pkginfo/1.6.1 requests/2.24.0 setuptools/50.3.2 requests-toolbelt/0.9.1 tqdm/4.51.0 CPython/3.8.6

File hashes

Hashes for mtls-server-0.18.0.tar.gz
Algorithm Hash digest
SHA256 20f116079c21cca29679919ba7dd6ec3037b85cebfdb1bd27ce213a56de9aa5f
MD5 415e2ea0a7f281e3d5095f58d9243c86
BLAKE2b-256 251a77da9257cd53e4d1842184efd598c7595e09d580b0edbd4fe1fefb0a857b

See more details on using hashes here.

File details

Details for the file mtls_server-0.18.0-py3-none-any.whl.

File metadata

  • Download URL: mtls_server-0.18.0-py3-none-any.whl
  • Upload date:
  • Size: 23.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.2.0 pkginfo/1.6.1 requests/2.24.0 setuptools/50.3.2 requests-toolbelt/0.9.1 tqdm/4.51.0 CPython/3.8.6

File hashes

Hashes for mtls_server-0.18.0-py3-none-any.whl
Algorithm Hash digest
SHA256 15d8d45ba88ffddab5caa5d46f9a2051be0763caefe4074a0016334cc1e9ff33
MD5 469027d316640e43a048286ff1065477
BLAKE2b-256 b1c6bbf709c110c96bc73c8afaf033169d5b0698c26c9e86cbdd4f3d0ac5e8c7

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page