A Foreman plugin that uses CFSSL to generate certificates, plus a little management. It adds a "Certificates" sub-item to "Infrastructure" menu.
This plugin stores private keys in clear text in database, so think twice before using a certificate generated by it, or importing existing certificates signed by other certificate authorities. However when importing a certificate you can leave the private key field blank or upload an encrypted version.
If you do want to put valuable certificate keys into the system, consider:
CFSSL binary is used for generating/inspecting certificates. The executable cfssl must be on $PATH.
See Foreman plugin installation.
The plugin needs a "certs" table, which can be created by running:
foreman-rake db:migrate
or by running the SQL.
Example:
/etc/foreman/plugins/foreman_cfssl.yaml:
:foreman_cfssl:
:ca: /etc/foreman/plugins/foreman_cfssl/ca.pem
:ca_key: /etc/foreman/plugins/foreman_cfssl/ca-key.pem
:config: /etc/foreman/plugins/foreman_cfssl/config.json
:csr_template: /etc/foreman/plugins/foreman_cfssl/csr-template.json
:private_key_import: false
More documentation can be found on CFSSL project page, but here are the two JSON files referenced mentioned above:
/etc/foreman/plugins/foreman_cfssl/config.json:
{
"signing": {
"default": {
"expiry": "43800h"
},
"profiles": {
"server": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
}
}
}
}
On certificate generation page, user can select a profile, fill in "common name" and SAN list. Inputs are merged into the CSR template below and fed into cfssl command.
/etc/foreman/plugins/foreman_cfssl/csr-template.json:
{
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"ST": "MA",
"L": "Newton",
"OU": "My Corp"
}
]
}
A single role "CFSSL" controls all permissions.
FAQs
Unknown package
We found that foreman_cfssl demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Fluent Assertions is facing backlash after dropping the Apache license for a commercial model, leaving users blindsided and questioning contributor rights.
Research
Security News
Socket researchers uncover the risks of a malicious Python package targeting Discord developers.
Security News
The UK is proposing a bold ban on ransomware payments by public entities to disrupt cybercrime, protect critical services, and lead global cybersecurity efforts.