A tool for a Semi-automated deployment of certificates on multiple servers.
This tool is only Semi-automated as it requires a user to start the deployment. The deployment itself is automated and runs on one server at a time. A failure on any given server will stop the whole deployment to allow the user to fix the problem before continuing.
- Manage the deployment of certificates to multiple servers.
- Automatically restart services after deployment.
- Integrate with your LDAP directory service for user authorization.
You can view the SSL Cert Authority in action on the demonstration server.
Use one of the following sets of username / password credentials to log in:
- rainbow / password - admin user
All data on this demonstration server is reset nightly at 00:00 UTC.
- Apache 2.2 or higher
- PHP 5.6 or higher
- PHP JSON extension
- PHP LDAP extension
- PHP mbstring (Multibyte String) extension
- PHP MySQL extension
- MySQL (5.5+), Percona Server (5.5+) or MariaDB database
-
Clone the repo somewhere outside of your default Apache document root.
-
Add the following directives to your Apache configuration (eg. virtual host config):
DocumentRoot /path/to/sca/public_html DirectoryIndex init.php FallbackResource /init.php -
Create a MySQL user and database (run in MySQL shell):
CREATE USER 'sca-user'@'localhost' IDENTIFIED BY 'password'; CREATE DATABASE `sca-db` DEFAULT CHARACTER SET utf8mb4; GRANT ALL ON `sca-db`.* to 'sca-user'@'localhost'; -
Copy the file
config/config-sample.initoconfig/config.iniand edit the settings as required. -
Set up authentication for your virtual host. The Auth-user variable must be passed to the application.
-
Set
scripts/cron.phpto run on a regular cron job. -
Generate an SSH key pair to synchronize with. SSL Cert Authority will expect to find the files as
config/cert-syncandconfig/cert-sync.pubfor the private and public keys respectively. -
Install the SSH key synchronization daemon.
-
For systemd:
- Copy
services/systemd/cert-sync.serviceto/etc/systemd/system/ - Modify
ExecStartpath andUseras necessary. If SSL Cert Authority is installed under/home, disableProtectHome. systemctl daemon-reloadsystemctl enable cert-sync.service
- Copy
-
For sysv-init:
- Copy
services/init.d/cert-syncto/etc/init.d/ - Modify
SCRIPTpath andUSERas necessary. update-rc.d cert-sync defaults
- Copy
-
Manual:
- Make sure that
scripts/syncd.php --user cert-syncis executed whenever the system is restarted
- Make sure that
-
If LDAP is enabed anyone who fits the filter under filter in config/config.ini will be able to login and use the application as admin.
Without LDAP, only the cert-sync users will be available after installation. With that user, it is possible to add users.
SSL Cert Authority distributes certificates to your servers via SSH. It does this by:
- Connecting to the server with SSH, authorizing as the
cert-syncuser. - Writing the appropriate certificates, profiles, variables, scripts to files and fodlers in
/var/local/cert-sync/(eg. all profiles a server is in will be written to/var/local/cert-sync/profiles/<profile_name>/{fullchain,cert,private}).
This means that your application will need to be configured to read certificates and private keys from /var/local/cert-sync/profiles/<profile_name>/{fullchain,cert,private}.
Copyright 2019 Marc Mettke
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.