Remotely calling certmongers local signer

Posted on by

It is really hard to make remote calls securely without a minimal Public Key Infrastructure. For a single server development deployment, you can use a self-signed certificate, but once you have multiple servers that need to intercommunicate, you want to have a single signing cert used for all the services. I’m investigating an approach which chains multiple Certmonger instances together.

When Certmonger needs a certificate signed, it generates a Certificate Signing Request (CSR), and then calls a helper application. For a local signing, this executable is 

/usr/libexec/certmonger/local-submit

If I want to sign a certificate without going through certmonger, I can first create a local cert database, generate a CSR, and manually sign it:

mkdir ~/certs
certutil -N -d ~certs
certutil -R -s "CN=www.younglogic.net, O=Younglogic, ST=MA, C=USA" -o ~/mycert.req -a -g 2048 -d ~/certs
/usr/libexec/certmonger/local-submit ~/mycert.req > mycert.pem

To get a remote machine to sign it, I used the following bash script:


#!/bin/sh -x

REMOTE_HOST=keycloak.younglogic.net
REMOTE_USER=dhc-user
SSH="ssh $REMOTE_USER@$REMOTE_HOST"      
CERTMONGER_CSR=`cat ~/mycert.req ` 

remotedir=`$SSH mktemp -d -p /home/dhc-user`
echo "$CERTMONGER_CSR" | $SSH tee $remotedir/mycert.req 
new_cert=$( $SSH  /usr/libexec/certmonger/local-submit $remotedir/mycert.req )
echo $new_cert > ~/mycert.pem
$SSH rm $remotedir/mycert.req
$SSH rmdir $remotedir

The /usr/libexec/certmonger/local-submit complies with the interface for Certmonger helper apps. Which means that it can also accept the CSR via the environment variable CERTMONGER_CSR, but as you can see, it also accepts it as an argument. If I drop the explicit definition of this variable, my script should work as a certmonger helper app.

In ~/.config/certmonger/cas/remote

id=remote
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/home/ayoung/bin/remote_certmonger.sh

Of course, this will not honor any of the other getcert commands. But we should be able to list the certs.

Call it with:

getcert request -n remote   -c remote -s -d ~/certs/  -N "uid=ayoung,cn=users,cn=accounts,dc=openstack,dc=freeipa,dc=org"
New signing request "20160422020445" added.

getcert list -s

Request ID '20160422020445':
	status: SUBMITTING
	stuck: no
	key pair storage: type=NSSDB,location='/home/ayoung/certs',nickname='remote',token='NSS Certificate DB'
	certificate: type=NSSDB,location='/home/ayoung/certs',nickname='remote'
	signing request thumbprint (MD5): 5D1D5881 12952298 073F1DF6 48B10CB9
	signing request thumbprint (SHA1): A30FAEDE 1917DD4D 4FA3AAFC C704329E C7783B46
	CA: remote
	issuer: 
	subject: 
	expires: unknown
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

So, not yet. More on this later.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.