mirrors/acme2certifier
1
0
Fork 0
mirror of https://github.com/grindsa/acme2certifier.git synced 2025-12-31 01:51:01 +02:00
Code Issues Projects Releases Packages Wiki Activity
Page: CA handler for an openssl based CA stored on local file system
Pages
# How to build an acme2certifier cluster on Ubuntu 22.04 <! wiki title: DEB Installation on Ubuntu 22.04 <! wiki title: External Account Binding <! wiki title: Hooks <! wiki title: Installation on Apache2 Running on Ubuntu 22.04 <! wiki title: Installation on NGINX Running on Alma Linux 9 <! wiki title: Pass Information from ACME Client to CA Handler <! wiki title: Reporting and Housekeeping <! wiki title: Support for ACME profiling <! wiki title: Support for External Databases ACME CA handler Asynchronous Mode (`async_mode`) in acme2certifier CA Handler for Microsoft Certification Authority Web Enrollment Service CA Handler for Microsoft Windows Client Certificate Enrollment Protocol (MS WCCE) CA Handler for NetGuard Certificate Lifecycle Manager CA Handler for OpenXPKI CA Handler for XCA CA Handler for an OpenSSL based CA Stored on Local File System CA Polling to Check Pending Enrollment Requests CA Trigger CA handler for Digicert CertCentral CA handler for EJBCA CA handler for Entrust ECS Enterprise CA handler for Insta ActiveCMS CA handler for Insta CA handler for Microsoft Certification Authority Web Enrollment Service CA handler for Microsoft Windows Client Certificate Enrollment Protocol (MS WCCE) CA handler for NetGuard Certificate Lifecycle Manager CA handler for NetGuard Certificate Manager and Insta Certifier CA handler for OpenXPKI CA handler for XCA CA handler for an openssl based CA stored on local file system CA handler using CMPv2 protocol CA handler using EST protocol CA polling to check pending enrollment requests CA trigger CA‐handler for Hashicorp Vault PKI Configuration options for acme2certifier Containerized Installation Using Apache2 or Nginx as Web Server with WSGI or Django Containerized installation DEB installation on Ubuntu 22.04 Database scheme Enrollment of End User Certificates according to RFC8823 Enrollment profiling via external account binding Example commands for acme clients External Account Binding (EAB) External Account Binding Home Hooks support Hooks How to Create Your Own CA Handler How to build am acme2certifier cluster on Ubuntu 22.04 How to build an acme2certifier cluster on Alma Linux 9 How to build an acme2certifier cluster on Ubuntu 22.04 How to contribute to this project How to create your own CA Handler Installation on Apache2 Running on Ubuntu 22.04 Installation on NGINX Running on Alma Linux 9 Installation on Nginx Running on Ubuntu 22.04 Installation on nginx running on Ubuntu 22.04 Pass Information from ACME Client to CA Handler Prevalidated Domain List Feature for ACME Authorization Proxy Support in acme2certifier Proxy support in acme2certifier RPM Installation on AlmaLinux 9 RPM installation on Alma Linux 9 RPM installation on alma Linux 9 Reporting and Housekeeping support SOAP CA Handler Prototype SOAP CA handler protopype Security Policy Support for ACME profiling Support for External Databases Support for TNAuthList Identifier and tkauth 01 Challenges Support for TNAuthList identifier and tkauth 01 challenges Upgrading acme2certifier Using cert manager to enroll certificate in Kubernetes environments acme_srv.cfg configuration options upgrading acme2certifier vault
9 CA handler for an openssl based CA stored on local file system
grindsa edited this page 2023-12-17 06:47:46 +00:00
Unescape Escape
Table of Contents
This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Support for an Openssl based CA stored on local file system

The openssl CA handler is rather for testing and lab usage. I strongly recommend not to reuse it in production environments without reviewing local system configuration and hardening state

Prerequisites

You need to create a certificate authority on the local file-system.

I did it by running the below command:

root@rlh:~# openssl req -x509 -new -extensions v3_ca -newkey rsa:4096 -keyout ca-key.pem -out ca-cert.pem -days 3650

Configuration

  • create a directory to store the (ca) certificate(s), key and CRL(s)
root@rlh:~# mkdir acme_srv/ca
root@rlh:~# mkdir acme_srv/ca/certs
  • place the above generated key and cert into the "ca" directory
root@rlh:~# mv ca-key.pem acme_srv/ca/
root@rlh:~# mv ca-cert.pem acme_srv/ca/
  • modify the server configuration (/acme_srv/acme_srv.cfg) and add the following parameters
[CAhandler]
handler_file: examples/ca_handler/openssl_ca_handler.py
issuing_ca_key: acme_srv/ca/ca-key.pem
issuing_ca_key_passphrase: Test1234
issuing_ca_cert: acme_srv/ca/ca-cert.pem
issuing_ca_crl: acme_srv/ca/crl.pem
cert_validity_days: 30
cert_validity_adjust: True
cert_save_path: acme_srv/ca/certs
ca_cert_chain_list: []
openssl_conf: acme_srv/ca/openssl.conf
allowed_domainlist: ["foo.bar\\$", "foo1.bar.local"]
blocked_domainlist: ["google.com.foo.bar\\$", "host.foo.bar$", "\\*.foo.bar"]
save_cert_as_hex: True
cn_enforce: True
  • issuing_ca_key - private key of the issuing CA (in PEM format) used to sign certificates and CRLs
  • issuing_ca_key_passphrase - password to access the private key
  • issuing_ca_key_passphrase_variable - optional - name of the environment variable containing the passphrase to access the CA key (a configured issuing_ca_key_passphrase parameter in acme_srv.cfg takes precedence)
  • issuing_ca_cert - Certificate of issuing CA in PEM format
  • issuing_ca_crl - CRL of issuing CA in PEM format
  • ca_cert_chain_list - List of root and intermediate CA certificates to be added to the bundle return to an ACME-client (the issueing CA cert must not be included)
  • cert_validity_days - optional - certificate lifetime in days (default 365)
  • cert_save_path - optional - directory to store then enrolled certificates
  • openssl_conf - optional - file in openssl.conf format containing certificate extensions to be applied
  • allowed_domainlist - optional - list of allowed common names and sans. Format per entry must follow the regular expression syntax- To be stored in json format
  • blocked_domainlist - optional - list of prohibited common names and sans. Format per entry must follow the regular expression syntax. To be stored in json format
  • save_cert_as_hex - optional - serialnumber in hex format will be used as filename to save enrolled certificates - default is False
  • cn_enforce - optional - use first SAN as CN in case there is no CN included in CSR - default is False
  • cert_validity_adjust - optional - limit on the "valid until" field, so that a certificate is never valid longer than any other certificate in the certificate chain - default is set to False

allowed_domainlist and blocked_domainlist options can be used independently from each other. When used together please note that that a positive result of a blocked_domainlist check takes precedence over the positive result of a allowed_domainlist check.

The openssl_conf file allows customization of the certificate profile and must contain a section [extensions] containing the certificate extensions to be inserted. If not specified the following extensions will be applied.

[extensions]
subjectKeyIdentifier    = hash, issuer:always
keyUsage                = digitalSignature, keyEncipherment
basicConstraints        = critical, CA:FALSEerr
authorityKeyIdentifier  = keyid:always, issuer:always
extendedKeyUsage        = critical, clientAuth, serverAuth

Enjoy enrolling and revoking certificates

some remarks:

  • certificates and CRLs will be signed with sha256
  • during enrollment all extensions included in the csr will be copied to the certificate. Dont tell me that this is a bad idea. Read the first two sentences of this page instead.
  • the CRL "next update interval" is 7days