It is really hard to make remote calls securely without a minimal Public Key Infrastructure. For a single server development deployment, you can use a self-signed certificate, but once you have multiple servers that need to intercommunicate, you want to have a single signing cert used for all the services. I’m investigating an approach which chains multiple Certmonger instances together.
When Certmonger needs a certificate signed, it generates a Certificate Signing Request (CSR), and then calls a helper application. For a local signing, this executable is
If I want to sign a certificate without going through certmonger, I can first create a local cert database, generate a CSR, and manually sign it:
mkdir ~/certs certutil -N -d ~certs certutil -R -s "CN=www.younglogic.net, O=Younglogic, ST=MA, C=USA" -o ~/mycert.req -a -g 2048 -d ~/certs /usr/libexec/certmonger/local-submit ~/mycert.req > mycert.pem
To get a remote machine to sign it, I used the following bash script:
#!/bin/sh -x REMOTE_HOST=keycloak.younglogic.net REMOTE_USER=dhc-user SSH="ssh $REMOTE_USER@$REMOTE_HOST" CERTMONGER_CSR=`cat ~/mycert.req ` remotedir=`$SSH mktemp -d -p /home/dhc-user` echo "$CERTMONGER_CSR" | $SSH tee $remotedir/mycert.req new_cert=$( $SSH /usr/libexec/certmonger/local-submit $remotedir/mycert.req ) echo $new_cert > ~/mycert.pem $SSH rm $remotedir/mycert.req $SSH rmdir $remotedir
The /usr/libexec/certmonger/local-submit complies with the interface for Certmonger helper apps. Which means that it can also accept the CSR via the environment variable CERTMONGER_CSR, but as you can see, it also accepts it as an argument. If I drop the explicit definition of this variable, my script should work as a certmonger helper app.
id=remote ca_is_default=0 ca_type=EXTERNAL ca_external_helper=/home/ayoung/bin/remote_certmonger.sh
Of course, this will not honor any of the other getcert commands. But we should be able to list the certs.
Call it with:
getcert request -n remote -c remote -s -d ~/certs/ -N "uid=ayoung,cn=users,cn=accounts,dc=openstack,dc=freeipa,dc=org" New signing request "20160422020445" added.
getcert list -s
Request ID '20160422020445': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/home/ayoung/certs',nickname='remote',token='NSS Certificate DB' certificate: type=NSSDB,location='/home/ayoung/certs',nickname='remote' signing request thumbprint (MD5): 5D1D5881 12952298 073F1DF6 48B10CB9 signing request thumbprint (SHA1): A30FAEDE 1917DD4D 4FA3AAFC C704329E C7783B46 CA: remote issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes
So, not yet. More on this later.