8000 GitHub - qingbo/foreman_cfssl: A Foreman plugin that uses CFSSL to generate certificates
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

qingbo/foreman_cfssl

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

foreman_cfssl

A Foreman plugin that uses CFSSL to generate certificates, plus a little management. It adds a "Certificates" sub-item to "Infrastructure" menu.

Warning

This plugin stores private keys in clear text in database, so think twice before using a certificate generated by it, or importing existing certificates signed by other certificate authorities. However when importing a certificate you can leave the private key field blank or upload an encrypted version.

If you do want to put valuable certificate keys into the system, consider:

  • Secure the CFSSL role in Foreman
  • Secure the database Foreman connects
  • Be aware about Rails/Foreman vulnerabilities

Prerequisites

CFSSL binary is used for generating/inspecting certificates. The executable cfssl must be on $PATH.

Installation

See Foreman plugin installation.

The plugin needs a "certs" table, which can be created by running:

foreman-rake db:migrate

or by running the SQL.

Configuration and Usage

ini file

Example:

/etc/foreman/plugins/foreman_cfssl.yaml:

:foreman_cfssl:
  :ca: /etc/foreman/plugins/foreman_cfssl/ca.pem
  :ca_key: /etc/foreman/plugins/foreman_cfssl/ca-key.pem
  :config: /etc/foreman/plugins/foreman_cfssl/config.json
  :csr_template: /etc/foreman/plugins/foreman_cfssl/csr-template.json
  :private_key_import: false

CFSSL config

More documentation can be found on CFSSL project page, but here are the two JSON files referenced mentioned above:

/etc/foreman/plugins/foreman_cfssl/config.json:

{
    "signing": {
        "default": {
            "expiry": "43800h"
        },
        "profiles": {
            "server": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}

On certificate generation page, user can select a profile, fill in "common name" and SAN list. Inputs are merged into the CSR template below and fed into cfssl command.

/etc/foreman/plugins/foreman_cfssl/csr-template.json:

{
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "US",
            "ST": "MA",
            "L": "Newton",
            "OU": "My Corp"
        }
    ]
}

Foreman role

A single role "CFSSL" controls all permissions.

About

A Foreman plugin that uses CFSSL to generate certificates

Resources

License

Stars

Watchers

Forks

Packages

No packages published
0