cloud-init: Add support for certmonger

[ubuntu-server-builder]

This bug was originally filed in Launchpad as LP: #1865352

Launchpad details

affected_projects = []
assignee = None
assignee_name = None
date_closed = None
date_created = 2020-03-01T15:47:50.893892+00:00
date_fix_committed = None
date_fix_released = None
id = 1865352
importance = undecided
is_complete = False
lp_url = https://bugs.launchpad.net/cloud-init/+bug/1865352
milestone = None
owner = minfrin
owner_name = Graham Leggett
private = False
status = triaged
submitter = minfrin
submitter_name = Graham Leggett
tags = []
duplicates = []

Launchpad user Graham Leggett(minfrin) wrote on 2020-03-01T15:47:50.893892+00:00

This is a request to integrate certmonger with cloud-init, such that certificates can be requested and provisioned as part of the initialisation process.

Possible sample configuration:

certs:
Redwax Interop:
type: scep
url: http://interop.redwax.eu/test/simple/scep
requests:
- certificate: /etc/pki/interop/test.example.com.cert
key: /etc/pki/interop/test.example.com.key
key-type: rsa
key-bits: 4096

and so on, corresponding to the following commands:

getcert add-scep-ca -c "Redwax Interop" -u http://interop.redwax.eu/test/simple/scep
getcert request -f /etc/pki/interop/test.example.com.cert -k /etc/pki/interop/test.example.com.key -c "Redwax Interop" -I test.example.com -D test.example.com -G rsa -g 4096 -u digitalSignature -u keyEncipherment -L challenge

[ubuntu-server-builder]

Launchpad user Ryan Harper(raharper) wrote on 2020-03-02T23:00:12.468614+00:00

Hi,

Thanks for filing this bug. Would you be interested in contributing to cloud-init?

https://cloudinit.readthedocs.io/en/latest/topics/hacking.html

[ubuntu-server-builder]

Launchpad user Graham Leggett(minfrin) wrote on 2020-03-05T12:39:06.585992+00:00

I have very basic python skills, so this may take a while.

In the mean time I have been fixing certmonger itself, as it contains a number of limitations that prevent it being possible to issue certs from private CAs.