Certidude is a minimalist X.509 Certificate Authority management tool with Kerberos authentication mainly designed for OpenVPN gateway operators to make VPN client setup on laptops, desktops and mobile devices as painless as possible.
Certidude can also be used to manage IPSec certifcates (StrongSwan) or HTTPS client certificates to limit access to eg. intranet websites. For a full-blown CA you might want to take a look at EJBCA or OpenCA.
Following usecases are covered:
- I am a sysadmin. Employees with different operating systems need to access internal network services over OpenVPN. I want to provide web interface for submitting the certificate signing request online. I want to get notified via e-mail when a user submits a certificate. Once I have signed the certificate I want the user to have easy way to download the signed certificate from the same web interface. Request submission and signing has to be visible in the web interface immediately. Common name is set to username.
- I am a sysadmin. I want to allow my Ubuntu roadwarriors to connect to network services at headquarters via IPSec. I want to make use of domain membership trust to automatically sign the certificates. Common name is set to computers hostname without the domain suffix. NetworkManager integration is necessary so the user can see the VPN connection state. Software installation and one simple configuration file should suffice to get up and running.
- I am a sysadmin. Employees need to get access to intranet wiki using HTTPS certificates possibly with multiple devices. Common name is set to username@device-identifier. The user logs in using domain account in the web interface and can automatically retrieve a P12 bundle which can be installed on her Android device.
- Standard request, sign, revoke workflow via web interface.
- RSA and Elliptic Curve Cryptography both supported, use
certidude provision authority --elliptic-curvefor the second
- OCSP and SCEP support.
- PAM and Active Directory compliant authentication backends: Kerberos single sign-on, LDAP simple bind.
- POSIX groups and Active Directory (LDAP) group membership based authorization.
- Server-side command-line interface, check out
- Certificate serial numbers are intentionally randomized to avoid leaking information about business practices.
- Server-side events support via nchan.
- E-mail notifications about pending, signed, revoked, renewed and overwritten certificates.
- Built using compilation-free oscrypto library.
- Object tagging, attach metadata to certificates using extended filesystem attributes.
Virtual private networking:
- Send VPN profile URL tokens via e-mail, for simplified VPN adoption on Android, iOS, Windows, Mac OS X and Ubuntu.
- OpenVPN gateway and roadwarrior integration, check out
certidude provision openvpn serverand
certidude provision openvpn client.
- StrongSwan gateway and roadwarrior integration, check out
certidude provision strongswan serverand
certidude provision strongswan client.
- NetworkManager integration for Ubuntu and Fedora, check out
certidude provision openvpn networkmanagerand
certidude provision strongswan networkmanager.
- P12 bundle generation for web browsers, seems to work well with Android
- HTTPS server setup with client verification, check out
certidude provision nginx
To install Certidude server you need certain system libraries in addition to regular Python dependencies.
System dependencies for Ubuntu 16.04:
apt install -y python3-click python3-jinja2 python3-markdown \ python3-pip python3-mysql.connector python3-requests python3-pyxattr
System dependencies for Fedora 25+:
yum install redhat-rpm-config python-devel openssl-devel openldap-devel
At the moment package at PyPI is rather outdated. Please proceed down to Development section to install Certidude from source.
Setting up authority
First make sure the machine used for certificate authority has fully qualified domain name set up properly. You can check it with:
The command should return
If necessary tweak machine's fully qualified hostname in
127.0.0.1 localhost 127.0.1.1 ca.example.com ca
Certidude will submit e-mail notifications to locally running MTA. Install Postfix and configure it as Satellite system:
apt install postfix
Certidude can set up certificate authority relatively easily.
Following will set up certificate authority in
configure systemd service for your platform,
/etc/cron.hourly/certidude and much more:
certidude provision authority
Tweak the configuration in
/etc/certidude/server.conf until you meet your requirements,
to apply changes run:
systemctl restart certidude
Setting up PAM authentication
Following assumes the OS user accounts are used to authenticate users.
This means users can be easily managed with OS tools such as
Make sure you insert AllowUsers administrator-account-username to SSH server configuration if you have SSH server installed on the machine to prevent regular users from accessing the command line of certidude. Note that in future we're planning to add command-line interaction in which case SSH access makes sense.
If you're planning to use PAM for authentication you need to install corresponding Python modules:
pip3 install simplepam
The default configuration generated by
certidude provision should make use of the
Setting up Active Directory authentication
Following assumes you have already set up Kerberos infrastructure and Certidude is simply one of the servers making use of that infrastructure.
Install additional dependencies:
apt-get install samba-common-bin krb5-user ldap-utils python-gssapi
Reset Samba client configuration in
workgroup and realm accordingly:
[global] security = ads netbios name = CA workgroup = EXAMPLE realm = EXAMPLE.COM kerberos method = system keytab
Reset Kerberos client configuration in
[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true
Initialize Kerberos credentials:
Join the machine to domain:
net ads join -k
Set up Kerberos keytab for the web service:
KRB5_KTNAME=FILE:/etc/certidude/server.keytab net ads keytab add HTTP -k chown root:certidude /etc/certidude/server.keytab chmod 640 /etc/certidude/server.keytab
Reconfigure /etc/certidude/server.conf so
kerberos backend is used for authentication,
ldap backend is used for accoutns and authorization.
Adjust related options as necessary.
Also make sure there is cron.hourly job for creating GSSAPI credential cache -
that's necessary for querying LDAP using Certidude machine's credentials.
- Following error message may mean that the IP address of the web server does not match the IP address used to join the CA machine to domain, eg when you're running CA behind SSL terminating web server: Bad credentials: Unspecified GSS failure. Minor code may provide more information (851968)
Setting up services
Set up services as usual (OpenVPN, Strongswan, etc), when setting up certificates See Certidude admin interface how to submit CSR-s and retrieve signed certificates.
Setting up clients
This example works for Ubuntu 16.04 desktop with corresponding plugins installed for NetworkManager.
Configure Certidude client in
[ca.example.com] trigger = interface up hostname = $HOSTNAME
Configure services in
[OpenVPN to gateway.example.com] authority = ca.example.com service = network-manager/openvpn remote = gateway.example.com [IPSec to gateway.example.com] authority = ca.example.com service = network-manager/strongswan remote = gateway.example.com
To request certificate:
The keys, signing requests, certificates and CRL-s are placed under /etc/certidude/authority/ca.example.com/
The VPN connection should immideately become available under network connections.
To use dependencies from pip:
apt install build-essential python-dev cython libffi-dev libssl-dev \ libkrb5-dev ldap-utils krb5-user libsasl2-modules-gssapi-mit \ libsasl2-dev libldap2-dev
Clone the repository:
git clone https://github.com/laurivosandi/certidude /srv/certidude cd /srv/certidude
Install dependencies as shown above and additionally:
pip3 install -r requirements.txt
To install the package from the source tree:
pip3 install -e .
To run tests and measure code coverage grab a clean VM or container, set hostname to ca.example.lan, export environment variable COVERAGE_PROCESS_START globally and run:
pip3 install codecov pytest-cov rm /tmp/.coverage* COVERAGE_PROCESS_START=/srv/certidude/.coveragerc py.test tests --capture=sys coverage combine coverage report coverage html -i
pip3 uninstall certidude
git clone https://github.com/laurivosandi/certidude cd certidude docker build . docker run --name ca --hostname ca.example.lan
To prepare packages for offline installation use following snippet on a vanilla Ubuntu 16.04 or container:
rm -fv /var/cache/apt/archives/*.deb /var/cache/certidude/wheels/*.whl apt install python3-pip pip3 wheel --wheel-dir=/var/cache/certidude/wheels -r requirements.txt pip3 wheel --wheel-dir=/var/cache/certidude/wheels . tar -cf certidude-client.tar /var/cache/certidude/wheels add-apt-repository -y ppa:nginx/stable apt-get update -q apt install --download-only python3-markdown python3-pyxattr python3-jinja2 python3-cffi software-properties-common libnginx-mod-nchan nginx-full pip3 wheel --wheel-dir=/var/cache/certidude/wheels falcon humanize ipaddress simplepam user-agents python-ldap gssapi tar -cf certidude-server.tar /var/lib/certidude/assets/ /var/cache/apt/archives/ /var/cache/certidude/wheels
Transfer certidude-server.tar or certidude-client.tar to the target machine and execute:
rm -fv /var/cache/apt/archives/*.deb /var/cache/certidude/wheels/*.whl tar -xvf certidude-*.tar -C / dpkg -i /var/cache/apt/archives/*.deb pip3 install --use-wheel --no-index --find-links /var/cache/certidude/wheels/*.whl
Proceed to bootstrap authority without installing packages or assembling assets:
certidude provision authority --skip-packages --skip-assets [--elliptic-curve] [--organization "Mycorp LLC"]
Note it's highly recommended to enable nginx PPA in the target machine