1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
=====
SSLCA
=====
SSLCA is a simple generator plugin designed to handle creation of
SSL private keys and certificates on request.
At present, only the following file locations are supported, and thus
only a single key and certifcate will be generated:
* /etc/pki/tls/private/localhost.key
* /etc/pki/tls/certs/localhost.crt
While this could be seen as very limiting, SSLCA does support any aliases
specified in clients.xml. Any aliases will be added to the cert under the
subjectAltName extension.
Interacting with SSLCA
======================
* Pre-seeding with existing keys/certs -- Currently existing keys/certs
will be overwritten by new, sslca-managed ones by default. Pre-existing
files can be added to the repository by putting them in
<repo>/SSLCA/<filename>.H_<hostname>
* Revoking existing keys -- deleting <repo>/SSLCA/\*.H_<hostname>
will remove files for an existing client.
Getting started
===============
#. Add SSLCA to the **plugins** line in ``/etc/bcfg2.conf`` and
restart the server -- This enables the SSLCA plugin on the Bcfg2
server.
#. Add Path entries for ``/etc/pki/tls/private/localhost.key``, and
``/etc/pky/tls/certs/localhost.crt``, etc to a bundle or base.
#. Add a [sslca] section to ``/etc/bcfg2.conf`` contaning the following
information:
ca_cert - location of the CA certificate
ca_key - CA private key
ca_key_passphrase - Passphrase (if any) needed to use the CA private key
cert_subject - Additional subject info for the resulting certificates, CN
will always be the bcfg2 clients hostname.
cert_days - number of days from generation that cert should be valid.
pkey_bits - number of bits for the private key.
#. Enjoy.
====
TODO
====
V1.0 - Nearly done...
...need to add cert expiry checking/regen...
...otherwise the below is done, but really should be rewritten to
use openssl binary rather than patched m2crypto
Only handles localhost.key and localhost.crt, therefor
assuming we only care about a cert for www, or all ssl services
will use the same cert
Initialiazation:
Grab options from bcfg2.conf
load cakey, cacert
cache other options
Req comes in for key & cert
If key exists:
load key
cache key
return key
Else:
gen key
cache key
save key
return key
If cert exists:
load cert
If fails to verify against key:
gen cert
save cert
return cert
If aliases fail don't match
gen cert
save cert
return cert
return cert
Else:
gen cert
save cert
return cert
V2.0 - Maybe create additional types, SSLCertPath, SSLKeyPath,
to allow generation of multiple certs/keys in arbitrary locations
|
