Code Monkey home page Code Monkey logo

certmaster's Introduction

certmaster -- it hands out SSL certs!

read more at:

Original Fedora Project Page

Original Fedora Repo

About this fork

certmaster -- it hands out SSL certs from multiple CAs !!!

Multiple CA support

This certmaster fork introduces a new '--ca' argument for specifying an alternative certificate authority.

This allows one certmaster instance to supply certs from multiple authorities instead of having a separate certmaster instance for each certificate authority you are using.

If you don't want to use multiple CA's, this fork should act just like the parent certmaster project from Fedora - you should be able to upgrade your existing certmaster to this version, and it will continue to server your existing certs.

If you want to add additional certificate authorities, include a section to your certmaster.conf file as per below for each CA, using a different name and set of directories for each CA.

[ca:name]
autosign = yes_or_no
cadir = /path/to/cadir
cert_dir = /path/to/cert_dir
certroot = /path/to/certroot
csrroot = /path/to/csrroot

Then to use the new CA, include the argument '--ca=name' in your list of certmaster-ca arguments to use the 'name' CA.

Likewise, when requesting certs from the new CA, include a section of the following form in your minion.conf file:

[ca:name]
cert_dir = /path/to/cert_dir

Then include the argument '--ca=name' in your certmaster-request commands to request a cert from the 'name' CA.

If the '--ca' argument is not given, then the default CA, as defined by the autosign, cadir, cert_dir, certroot, and csrroot options from the main section of certmaster.conf or minion.conf is used.

Functional Tests

This fork introduces some functional tests using the shUnit2 framework.

NOTE THESE TESTS ARE DESTRUCTIVE SO DON'T RUN THEM ON YOUR LIVE CERTMASTER HOST

The tests overwrite the /etc/certmaster/certmaster.conf and /etc/certmaster/minion.conf files, and delete the cert data directories, so only run these tests on a test server / VM / docker image, not on your live production certmaster instance.

Misc Changes

  • 'certmaster-ca --version' reads /etc/certmaster/version instead of func's version file
  • certmaster-sync doesn't error out if func if not present
  • switched README to README.md

certmaster's People

Contributors

alikins avatar caglar10ur avatar gregswift avatar hozn avatar jeckersb avatar jude avatar nabeken avatar skvidal avatar tbielawa avatar tmzullinger avatar

Stargazers

avatar avatar avatar

Watchers

avatar avatar

certmaster's Issues

support hash functions other than sha1

sha1 certs are being deprecated, but certmaster has the sha1 algorithm hardcoded in a number of places.

Add a hashfunc option support to the config file which can be set to hashlib.algorithms strings. Then use this algorithm for creating the CA and signing certs.

Default to hashfunc value to 'sha256'. Allow hashfunc to be 'sha1', but generate a deprecation warning whenever a sha1 is used in the certmaster-ca or certmaster-request commands.

CT Log integration

As a manager of a CA running certmaster, I would like to automatically log pre-certificates with the poison-extension for all newly issued certificates into a CT log. I would like the URL or other address identifier for the CT log enrollment API to be configurable in the configuration file. This will enable me to make all issuance public, transparent and auditable, which will strengthen trust in my PKI and ensure that misissuance is prevented, or if it occurs, that it can be rapidly detected and remediated.

Available hashing+signing algorithm options

As a manager of a CA running on certmaster, I would like to be able to set the hashing+signing algorithm via configuration, for example, SHA256ECDSAp192 or SHA384RSA or the like. This will enable me to issue certificates using modern hashing and signing functions that meet the authenticity needs in the face of chosen-prefix collisions in SHA-1 / SHA160 .

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.