LEAP Certificate Authority Daemon
leap_ca_daemon
is a background daemon that generates x509 certificates as needed and stores them in CouchDB. You can run leap_ca
on a machine that is not connected to a network, and then periodically connect to sync up the cert database.
- Its only interface with the outside world is a CouchDB connection (defaults to localhost).
- The daemon monitors changes to the database and fills it with x509 certs as needed.
- It requires access to a Certificate Authority (in other words, the RSA private key and x509 root certificate, in PEM format).
This program is written in Ruby and is distributed under the following license:
GNU Affero General Public License
Version 3.0 or higher
http://www.gnu.org/licenses/agpl-3.0.html
Installation
Prerequisites:
sudo apt-get install ruby ruby-dev couchdb
# if you are running ruby 1.8, you will also need rubygems.
# for development, you will also need git, bundle, and rake.
From source:
git clone git://leap.se/leap_ca
cd cleap_ca
bundle
rake build
sudo rake install
From gem:
sudo gem install leap_ca
Running
See if it worked:
leap_ca_daemon run -- test/config/config.yaml
browse to http://localhost:5984/_utils
How you would run normally in production mode:
leap_ca_daemon start
leap_ca_daemon stop
See leap_ca_daemon --help
for more options.
Configuration
leap_ca_daemon
reads the following configurations files, in this order:
$(leap_ca_source)/config/default_config.yaml
/etc/leap/leap_ca.yaml
- Any file passed to ARGV like so
leap_ca start -- /etc/leap_ca.yaml
Other than ca_key_path
and ca_cert_path
you can probably leave all other options at their default values.
The default options are:
#
# Default configuration options for LEAP Certificate Authority Daemon
#
#
# Certificate Authority
#
ca_key_path: "../test/files/ca.key"
ca_key_password: nil
ca_cert_path: "../test/files/ca.crt"
#
# Certificate pool
#
max_pool_size: 100
client_cert_lifespan: 2
client_cert_bit_size: 2024
client_cert_hash: "SHA256"
#
# Database
#
db_name: "client_certificates"
couch_connection:
protocol: "http"
host: "localhost"
port: 5984
username: ~
password: ~
prefix: ""
suffix: ""
Rake Tasks
rake -T
rake build # Build leap_ca-x.x.x.gem into the pkg directory
rake install # Install leap_ca-x.x.x.gem into either system-wide or user gems
rake test # Run tests
rake uninstall # Uninstall leap_ca-x.x.x.gem from either system-wide or user gems
Development
For development and debugging you might want to run the programm directly without
the deamon wrapper. You can do this like this:
ruby -I lib lib/leap_ca_daemon.rb
Todo
- Remove deprecated 'yajl/http_stream'