<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>SSLCA — Bcfg2 1.3.0 documentation</title> <link rel="stylesheet" href="../../../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../../', VERSION: '1.3.0', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../../../_static/jquery.js"></script> <script type="text/javascript" src="../../../_static/underscore.js"></script> <script type="text/javascript" src="../../../_static/doctools.js"></script> <script type="text/javascript" src="../../../_static/sidebar.js"></script> <link rel="shortcut icon" href="../../../_static/favicon.ico"/> <link rel="top" title="Bcfg2 1.3.0 documentation" href="../../../index.html" /> <link rel="up" title="Plugins" href="../index.html" /> <link rel="next" title="TCheetah" href="tcheetah.html" /> <link rel="prev" title="SSHbase" href="sshbase.html" /> <link rel="stylesheet" href="../../../_static/bcfg2.css" type=""/> </head> <body> <div style="text-align: left; padding: 10px 10px 15px 15px"> <a href="../../../index.html"><img src="../../../_static/bcfg2_logo.png" border="0" alt="sampledoc"/></a> </div> <div class="related"> <h3>Navigation</h3> <ul> <li class="right" style="margin-right: 10px"> <a href="../../../genindex.html" title="General Index" accesskey="I">index</a></li> <li class="right" > <a href="../../../py-modindex.html" title="Python Module Index" >modules</a> |</li> <li class="right" > <a href="tcheetah.html" title="TCheetah" accesskey="N">next</a> |</li> <li class="right" > <a href="sshbase.html" title="SSHbase" accesskey="P">previous</a> |</li> <li><a href="../../../index.html">home</a> | </li> <!--<li><a href="../../../search.html">search</a> | </li>--> <li><a href="../../../help/index.html">help</a> | </li> <li><a href="../../../contents.html">documentation </a> »</li> <li><a href="../../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li> <li><a href="../../index.html" >The Bcfg2 Server</a> »</li> <li><a href="../index.html" accesskey="U">Plugins</a> »</li> </ul> </div> <div class="document"> <div class="documentwrapper"> <div class="bodywrapper"> <div class="body"> <div class="section" id="sslca"> <span id="server-plugins-generators-sslca"></span><h1>SSLCA<a class="headerlink" href="#sslca" title="Permalink to this headline">¶</a></h1> <p>SSLCA is a generator plugin designed to handle creation of SSL private keys and certificates on request.</p> <p>Borrowing ideas from <a class="reference internal" href="cfg.html#server-plugins-generators-cfg-genshi"><em>Genshi Templates</em></a> and the <a class="reference internal" href="sshbase.html#server-plugins-generators-sshbase"><em>SSHbase</em></a> plugin, SSLCA automates the generation of SSL certificates by allowing you to specify key and certificate definitions. Then, when a client requests a Path that contains such a definition within the SSLCA repository, the matching key/cert is generated, and stored in a hostfile in the repo so that subsequent requests do not result in repeated key/cert recreation. In the event that a new key or cert is needed, the offending hostfile can simply be removed from the repository, and the next time that host checks in, a new file will be created. If that file happens to be the key, any dependent certificates will also be regenerated.</p> <div class="section" id="getting-started"> <span id="id1"></span><h2>Getting started<a class="headerlink" href="#getting-started" title="Permalink to this headline">¶</a></h2> <p>In order to use SSLCA, you must first have at least one CA configured on your system. For details on setting up your own OpenSSL based CA, please see <a class="reference external" href="http://www.openssl.org/docs/apps/ca.html">http://www.openssl.org/docs/apps/ca.html</a> for details of the suggested directory layout and configuration directives.</p> <p>For SSLCA to work, the openssl.cnf (or other configuration file) for that CA must contain full (not relative) paths.</p> <ol class="arabic"> <li><p class="first">Add SSLCA to the <strong>plugins</strong> line in <tt class="docutils literal"><span class="pre">/etc/bcfg2.conf</span></tt> and restart the server – This enabled the SSLCA plugin on the Bcfg2 server.</p> </li> <li><p class="first">Add a section to your <tt class="docutils literal"><span class="pre">/etc/bcfg2.conf</span></tt> called <tt class="docutils literal"><span class="pre">sslca_foo</span></tt>, replacing foo with the name you wish to give your CA so you can reference it in certificate definitions.</p> </li> <li><p class="first">Under that section, add an entry for <tt class="docutils literal"><span class="pre">config</span></tt> that gives the location of the openssl configuration file for your CA.</p> </li> <li><p class="first">If necessary, add an entry for <tt class="docutils literal"><span class="pre">passphrase</span></tt> containing the passphrase for the CA’s private key. We store this in <tt class="docutils literal"><span class="pre">/etc/bcfg2.conf</span></tt> as the permissions on that file should have it only readable by the bcfg2 user. If no passphrase is entry exists, it is assumed that the private key is stored unencrypted.</p> </li> <li><p class="first">Optionally, Add an entry <tt class="docutils literal"><span class="pre">chaincert</span></tt> that points to the location of your ssl chaining certificate. This is used when preexisting certifcate hostfiles are found, so that they can be validated and only regenerated if they no longer meet the specification. If you’re using a self signing CA this would be the CA cert that you generated. If the chain cert is a root CA cert (e.g., if it is a self-signing CA), also add an entry <tt class="docutils literal"><span class="pre">root_ca</span> <span class="pre">=</span> <span class="pre">true</span></tt>. If <tt class="docutils literal"><span class="pre">chaincert</span></tt> is omitted, certificate verification will not be performed.</p> </li> <li><p class="first">Once all this is done, you should have a section in your <tt class="docutils literal"><span class="pre">/etc/bcfg2.conf</span></tt> that looks similar to the following:</p> <div class="highlight-python"><pre>[sslca_default] config = /etc/pki/CA/openssl.cnf passphrase = youReallyThinkIdShareThis? chaincert = /etc/pki/CA/chaincert.crt root_ca = true</pre> </div> </li> <li><p class="first">You are now ready to create key and certificate definitions. For this example we’ll assume you’ve added Path entries for the key, <tt class="docutils literal"><span class="pre">/etc/pki/tls/private/localhost.key</span></tt>, and the certificate, <tt class="docutils literal"><span class="pre">/etc/pki/tls/certs/localhost.crt</span></tt> to a bundle or base.</p> </li> <li><p class="first">Defining a key or certificate is similar to defining a Cfg file. Under your Bcfg2’s <tt class="docutils literal"><span class="pre">SSLCA/</span></tt> directory, create the directory structure to match the path to your key. In this case this would be something like <tt class="docutils literal"><span class="pre">/var/lib/bcfg2/SSLCA/etc/pki/tls/private/localhost.key</span></tt>.</p> </li> <li><p class="first">Within that directory, create a <a class="reference internal" href="#key-xml">key.xml</a> file containing the following:</p> <div class="highlight-xml"><div class="highlight"><pre><span class="nt"><KeyInfo></span> <span class="nt"><Key</span> <span class="na">type=</span><span class="s">"rsa"</span> <span class="na">bits=</span><span class="s">"2048"</span> <span class="nt">/></span> <span class="nt"></KeyInfo></span> </pre></div> </div> </li> <li><p class="first">This will cause the generation of an 2048 bit RSA key when a client requests that Path. Alternatively you can specify <tt class="docutils literal"><span class="pre">dsa</span></tt> as the keytype, or a different number of bits.</p> </li> <li><p class="first">Similarly, create the matching directory structure for the certificate path, and a <a class="reference internal" href="#cert-xml">cert.xml</a> containing the following:</p> <div class="highlight-xml"><div class="highlight"><pre><span class="nt"><CertInfo></span> <span class="nt"><Cert</span> <span class="na">format=</span><span class="s">"pem"</span> <span class="na">key=</span><span class="s">"/etc/pki/tls/private/localhost.key"</span> <span class="na">ca=</span><span class="s">"default"</span> <span class="na">days=</span><span class="s">"365"</span> <span class="na">c=</span><span class="s">"US"</span> <span class="na">l=</span><span class="s">"New York"</span> <span class="na">st=</span><span class="s">"New York"</span> <span class="na">o=</span><span class="s">"Your Company Name"</span> <span class="nt">/></span> <span class="nt"></CertInfo></span> </pre></div> </div> </li> <li><p class="first">When a client requests the cert path, a certificate will be generated using the key hostfile at the specified key location, using the CA matching the ca attribute. ie. ca=”default” will match [sslca_default] in your <tt class="docutils literal"><span class="pre">/etc/bcfg2.conf</span></tt></p> </li> </ol> </div> <div class="section" id="configuration"> <span id="sslca-configuration"></span><h2>Configuration<a class="headerlink" href="#configuration" title="Permalink to this headline">¶</a></h2> <div class="section" id="bcfg2-conf"> <h3>bcfg2.conf<a class="headerlink" href="#bcfg2-conf" title="Permalink to this headline">¶</a></h3> <p><tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt> contains miscellaneous configuration options for the SSLCA plugin. These are described in some detail above in <cite>getting-started</cite>, but are also enumerated here as a reference. Any booleans in the config file accept the values “1”, “yes”, “true”, and “on” for True, and “0”, “no”, “false”, and “off” for False.</p> <p>Each directive below should appear at most once in each <tt class="docutils literal"><span class="pre">[sslca_<name>]</span></tt> section. The following directives are understood:</p> <table border="1" class="docutils"> <colgroup> <col width="19%" /> <col width="57%" /> <col width="12%" /> <col width="12%" /> </colgroup> <thead valign="bottom"> <tr class="row-odd"><th class="head">Name</th> <th class="head">Description</th> <th class="head">Values</th> <th class="head">Default</th> </tr> </thead> <tbody valign="top"> <tr class="row-even"><td>config</td> <td>Path to the openssl config for the CA</td> <td>String</td> <td>None</td> </tr> <tr class="row-odd"><td>passphrase</td> <td>Passphrase for the CA private key</td> <td>String</td> <td>None</td> </tr> <tr class="row-even"><td>chaincert</td> <td>Path to the SSL chaining certificate for verification</td> <td>String</td> <td>None</td> </tr> <tr class="row-odd"><td>root_ca</td> <td>Whether or not <tt class="docutils literal"><span class="pre"><chaincert></span></tt> is a root CA (as opposed to an intermediate cert)</td> <td>Boolean</td> <td>false</td> </tr> </tbody> </table> <p>Only <tt class="docutils literal"><span class="pre">config</span></tt> is required.</p> </div> <div class="section" id="cert-xml"> <h3>cert.xml<a class="headerlink" href="#cert-xml" title="Permalink to this headline">¶</a></h3> <dl class="schema" id="schema:sslca-cert.xsd"> <dt id="schema:sslca-cert.xsd"> <!--[schema:sslca-cert.xsd]--><em>schema</em> <strong>sslca-cert.xsd</strong><a class="headerlink" href="#schema:sslca-cert.xsd" title="Permalink to this definition">¶</a></dt> </dt> <dd><blockquote class="first"> <div>Schema for <a class="reference internal" href="#server-plugins-generators-sslca"><em>SSLCA</em></a> <tt class="docutils literal"><span class="pre">cert.xml</span></tt></div></blockquote> <dl class="last element" id="element:CertInfo"> <dt id="element:CertInfo"> <!--[element:CertInfo]--><em>element</em> <strong>CertInfo</strong><a class="headerlink" href="#element:CertInfo" title="Permalink to this definition">¶</a></dt> </dt> <dd><blockquote class="first"> <div>Top-level tag for describing an SSLCA generated certificate.</div></blockquote> <dl class="last docutils" id="complexType:CertInfo"> <dt>Child elements:</dt> <dd><ul class="first last"> <li><dl class="element" id="element:Cert"> <dt id="element:Cert"> <!--[element:Cert]--><em>element</em> <strong>Cert</strong><a class="headerlink" href="#element:Cert" title="Permalink to this definition">¶</a></dt> </dt> <dd><p class="first"></p> <dl class="last docutils" id="complexType:CertType"> <dt>Attributes:</dt> <dd><table border="1" class="first last docutils"> <colgroup> <col width="10%" /> <col width="50%" /> <col width="20%" /> <col width="10%" /> <col width="10%" /> </colgroup> <thead valign="bottom"> <tr class="row-odd"><th class="head"><p class="first last">Name</p> </th> <th class="head"><p class="first last">Description</p> </th> <th class="head"><p class="first last">Values</p> </th> <th class="head"><p class="first last">Required</p> </th> <th class="head"><p class="first last">Default</p> </th> </tr> </thead> <tbody valign="top"> <tr class="row-even"><td><p class="first last"><span class="target" id="attribute:CertType:key"></span><tt class="docutils literal"><span class="pre">key</span></tt></p> </td> <td><blockquote class="first last"> <div><p>The full path to the key entry to use for this certificate. This is the <em>client</em> path; e.g., for a key defined at <tt class="docutils literal"><span class="pre">/var/lib/bcfg2/SSLCA/etc/pki/tls/private/foo.key/key.xml</span></tt>, <strong>key</strong> should be <tt class="docutils literal"><span class="pre">/etc/pki/tls/private/foo.key</span></tt>.</p> </div></blockquote> </td> <td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p> </td> <td><p class="first last">Yes</p> </td> <td><p class="first last">None</p> </td> </tr> <tr class="row-odd"><td><p class="first last"><span class="target" id="attribute:CertType:append_chain"></span><tt class="docutils literal"><span class="pre">append_chain</span></tt></p> </td> <td><blockquote class="first last"> <div><p>Append the CA chain certificate to the generated certificate (e.g., to produce a certificate in the format required by Nginx.)</p> </div></blockquote> </td> <td><p class="first last"><p><tt class="docutils literal"><span class="pre">true</span></tt> | <tt class="docutils literal"><span class="pre">false</span></tt></p> </p> </td> <td><p class="first last">No</p> </td> <td><tt class="first last docutils literal"><span class="pre">false</span></tt></td> </tr> <tr class="row-even"><td><p class="first last"><span class="target" id="attribute:CertType:c"></span><tt class="docutils literal"><span class="pre">c</span></tt></p> </td> <td><blockquote class="first last"> <div><p>Override the country set in the CA config</p> </div></blockquote> </td> <td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p> </td> <td><p class="first last">No</p> </td> <td><p class="first last">None</p> </td> </tr> <tr class="row-odd"><td><p class="first last"><span class="target" id="attribute:CertType:ca"></span><tt class="docutils literal"><span class="pre">ca</span></tt></p> </td> <td><blockquote class="first last"> <div><p>The name of the CA (from <a class="reference internal" href="#sslca-configuration"><em>bcfg2.conf</em></a>) to use to generate this certificate.</p> </div></blockquote> </td> <td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p> </td> <td><p class="first last">No</p> </td> <td><tt class="first last docutils literal"><span class="pre">default</span></tt></td> </tr> <tr class="row-even"><td><p class="first last"><span class="target" id="attribute:CertType:days"></span><tt class="docutils literal"><span class="pre">days</span></tt></p> </td> <td><blockquote class="first last"> <div><p>Time (in days) the certificate will be valid for.</p> </div></blockquote> </td> <td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#integer"><tt class="docutils literal"><span class="pre">integer</span></tt></a></p> </td> <td><p class="first last">No</p> </td> <td><tt class="first last docutils literal"><span class="pre">365</span></tt></td> </tr> <tr class="row-odd"><td><p class="first last"><span class="target" id="attribute:CertType:emailaddress"></span><tt class="docutils literal"><span class="pre">emailaddress</span></tt></p> </td> <td><blockquote class="first last"> <div><p>Override the email address set in the CA config</p> </div></blockquote> </td> <td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p> </td> <td><p class="first last">No</p> </td> <td><p class="first last">None</p> </td> </tr> <tr class="row-even"><td><p class="first last"><span class="target" id="attribute:CertType:format"></span><tt class="docutils literal"><span class="pre">format</span></tt></p> </td> <td><blockquote class="first last"> <div><p>The certificate format to produce.</p> </div></blockquote> </td> <td><p class="first last"><p><tt class="docutils literal"><span class="pre">pem</span></tt></p> </p> </td> <td><p class="first last">No</p> </td> <td><tt class="first last docutils literal"><span class="pre">pem</span></tt></td> </tr> <tr class="row-odd"><td><p class="first last"><span class="target" id="attribute:CertType:l"></span><tt class="docutils literal"><span class="pre">l</span></tt></p> </td> <td><blockquote class="first last"> <div><p>Override the location set in the CA config</p> </div></blockquote> </td> <td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p> </td> <td><p class="first last">No</p> </td> <td><p class="first last">None</p> </td> </tr> <tr class="row-even"><td><p class="first last"><span class="target" id="attribute:CertType:o"></span><tt class="docutils literal"><span class="pre">o</span></tt></p> </td> <td><blockquote class="first last"> <div><p>Override the organization set in the CA config</p> </div></blockquote> </td> <td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p> </td> <td><p class="first last">No</p> </td> <td><p class="first last">None</p> </td> </tr> <tr class="row-odd"><td><p class="first last"><span class="target" id="attribute:CertType:ou"></span><tt class="docutils literal"><span class="pre">ou</span></tt></p> </td> <td><blockquote class="first last"> <div><p>Override the organizational unit set in the CA config</p> </div></blockquote> </td> <td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p> </td> <td><p class="first last">No</p> </td> <td><p class="first last">None</p> </td> </tr> <tr class="row-even"><td><p class="first last"><span class="target" id="attribute:CertType:st"></span><tt class="docutils literal"><span class="pre">st</span></tt></p> </td> <td><blockquote class="first last"> <div><p>Override the state set in the CA config</p> </div></blockquote> </td> <td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p> </td> <td><p class="first last">No</p> </td> <td><p class="first last">None</p> </td> </tr> </tbody> </table> </dd> </dl> </dd> </dl> </li> <li><dl class="element" id="element:Group"> <dt id="element:Group"> <!--[element:Group]--><em>element</em> <strong>Group</strong><a class="headerlink" href="#element:Group" title="Permalink to this definition">¶</a></dt> </dt> <dd><p class="first"></p> <p class="last">Type: <a class="reference internal" href="#complexType:SSLCACertGroupType"><tt class="docutils literal"><span class="pre">SSLCACertGroupType</span></tt></a></p> </dd> </dl> </li> <li><dl class="element" id="element:Client"> <dt id="element:Client"> <!--[element:Client]--><em>element</em> <strong>Client</strong><a class="headerlink" href="#element:Client" title="Permalink to this definition">¶</a></dt> </dt> <dd><p class="first"></p> <p class="last">Type: <a class="reference internal" href="#complexType:SSLCACertGroupType"><tt class="docutils literal"><span class="pre">SSLCACertGroupType</span></tt></a></p> </dd> </dl> </li> <li><dl class="element" id="element:subjectAltName"> <dt id="element:subjectAltName"> <!--[element:subjectAltName]--><em>element</em> <strong>subjectAltName</strong><a class="headerlink" href="#element:subjectAltName" title="Permalink to this definition">¶</a></dt> </dt> <dd><p class="first"></p> <p class="last"><strong>subjectAltName</strong> takes only text content, which may be the following values: <a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p> </dd> </dl> </li> </ul> </dd> </dl> </dd> </dl> </dd> </dl> <dl class="complexType" id="complexType:SSLCACertGroupType"> <dt id="complexType:SSLCACertGroupType"> <!--[complexType:SSLCACertGroupType]--><em>complexType</em> <strong>SSLCACertGroupType</strong><a class="headerlink" href="#complexType:SSLCACertGroupType" title="Permalink to this definition">¶</a></dt> </dt> <dd><blockquote class="first"> <div>An <strong>SSLCACertGroupType</strong> is a tag used to provide logic. Child entries of an SSLCACertGroupType tag only apply to machines that match the condition specified – either membership in a group, or a matching client name. <a class="reference internal" href="#attribute:SSLCACertGroupType:negate"><tt class="xref xml xml-attribute docutils literal"><span class="pre">negate</span></tt></a> can be set to negate the sense of the match.</div></blockquote> <dl class="last docutils"> <dt>Attributes:</dt> <dd><table border="1" class="first last docutils"> <colgroup> <col width="10%" /> <col width="50%" /> <col width="20%" /> <col width="10%" /> <col width="10%" /> </colgroup> <thead valign="bottom"> <tr class="row-odd"><th class="head">Name</th> <th class="head">Description</th> <th class="head">Values</th> <th class="head">Required</th> <th class="head">Default</th> </tr> </thead> <tbody valign="top"> <tr class="row-even"><td><span class="target" id="attribute:SSLCACertGroupType:name"></span><tt class="docutils literal"><span class="pre">name</span></tt></td> <td><blockquote class="first last"> <div>The name of the client or group to match on. Child entries will only apply to this client or group (unless <a class="reference internal" href="#attribute:SSLCACertGroupType:negate"><tt class="xref xml xml-attribute docutils literal"><span class="pre">negate</span></tt></a> is set).</div></blockquote> </td> <td><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></td> <td>No</td> <td>None</td> </tr> <tr class="row-odd"><td><span class="target" id="attribute:SSLCACertGroupType:negate"></span><tt class="docutils literal"><span class="pre">negate</span></tt></td> <td><blockquote class="first last"> <div>Negate the sense of the match, so that child entries only apply to a client if it is not a member of the given group or does not have the given name.</div></blockquote> </td> <td><tt class="docutils literal"><span class="pre">true</span></tt> | <tt class="docutils literal"><span class="pre">false</span></tt></td> <td>No</td> <td>None</td> </tr> </tbody> </table> </dd> <dt>Child elements:</dt> <dd><ul class="first last simple"> <li><a class="reference internal" href="#element:Cert"><tt class="docutils literal"><span class="pre">Cert</span></tt></a></li> <li><a class="reference internal" href="../../info.html#element:Group"><tt class="docutils literal"><span class="pre">Group</span></tt></a></li> <li><a class="reference internal" href="../../info.html#element:Client"><tt class="docutils literal"><span class="pre">Client</span></tt></a></li> <li><a class="reference internal" href="#element:subjectAltName"><tt class="docutils literal"><span class="pre">subjectAltName</span></tt></a></li> </ul> </dd> </dl> </dd> </dl> <div class="section" id="example"> <h4>Example<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h4> <div class="highlight-xml"><div class="highlight"><pre><span class="nt"><CertInfo></span> <span class="nt"><SubjectAltName></span>test.example.com<span class="nt"></SubjectAltName></span> <span class="nt"><Group</span> <span class="na">name=</span><span class="s">"apache"</span><span class="nt">></span> <span class="nt"><Cert</span> <span class="na">key=</span><span class="s">"/etc/pki/tls/private/foo.key"</span> <span class="na">days=</span><span class="s">"730"</span><span class="nt">/></span> <span class="nt"></Group></span> <span class="nt"><Group</span> <span class="na">name=</span><span class="s">"nginx"</span><span class="nt">></span> <span class="nt"><Cert</span> <span class="na">key=</span><span class="s">"/etc/pki/tls/private/foo.key"</span> <span class="na">days=</span><span class="s">"730"</span> <span class="na">append_chain=</span><span class="s">"true"</span><span class="nt">/></span> <span class="nt"></Group></span> <span class="nt"></CertInfo></span> </pre></div> </div> </div> </div> <div class="section" id="key-xml"> <h3>key.xml<a class="headerlink" href="#key-xml" title="Permalink to this headline">¶</a></h3> <dl class="schema" id="schema:sslca-key.xsd"> <dt id="schema:sslca-key.xsd"> <!--[schema:sslca-key.xsd]--><em>schema</em> <strong>sslca-key.xsd</strong><a class="headerlink" href="#schema:sslca-key.xsd" title="Permalink to this definition">¶</a></dt> </dt> <dd><blockquote class="first"> <div>Schema for <a class="reference internal" href="#server-plugins-generators-sslca"><em>SSLCA</em></a> <tt class="docutils literal"><span class="pre">key.xml</span></tt></div></blockquote> <dl class="last element" id="element:KeyInfo"> <dt id="element:KeyInfo"> <!--[element:KeyInfo]--><em>element</em> <strong>KeyInfo</strong><a class="headerlink" href="#element:KeyInfo" title="Permalink to this definition">¶</a></dt> </dt> <dd><blockquote class="first"> <div>Top-level tag for describing an SSLCA generated key.</div></blockquote> <dl class="last docutils" id="complexType:KeyInfo"> <dt>Child elements:</dt> <dd><ul class="first last"> <li><dl class="element" id="element:Key"> <dt id="element:Key"> <!--[element:Key]--><em>element</em> <strong>Key</strong><a class="headerlink" href="#element:Key" title="Permalink to this definition">¶</a></dt> </dt> <dd><p class="first"></p> <dl class="last docutils" id="complexType:KeyType"> <dt>Attributes:</dt> <dd><table border="1" class="first last docutils"> <colgroup> <col width="10%" /> <col width="50%" /> <col width="20%" /> <col width="10%" /> <col width="10%" /> </colgroup> <thead valign="bottom"> <tr class="row-odd"><th class="head"><p class="first last">Name</p> </th> <th class="head"><p class="first last">Description</p> </th> <th class="head"><p class="first last">Values</p> </th> <th class="head"><p class="first last">Required</p> </th> <th class="head"><p class="first last">Default</p> </th> </tr> </thead> <tbody valign="top"> <tr class="row-even"><td><p class="first last"><span class="target" id="attribute:KeyType:bits"></span><tt class="docutils literal"><span class="pre">bits</span></tt></p> </td> <td><blockquote class="first last"> <div><p>The key length</p> </div></blockquote> </td> <td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#nonNegativeInteger"><tt class="docutils literal"><span class="pre">nonNegativeInteger</span></tt></a></p> </td> <td><p class="first last">No</p> </td> <td><tt class="first last docutils literal"><span class="pre">2048</span></tt></td> </tr> <tr class="row-odd"><td><p class="first last"><span class="target" id="attribute:KeyType:type"></span><tt class="docutils literal"><span class="pre">type</span></tt></p> </td> <td><blockquote class="first last"> <div><p>The key type</p> </div></blockquote> </td> <td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p> </td> <td><p class="first last">No</p> </td> <td><tt class="first last docutils literal"><span class="pre">rsa</span></tt></td> </tr> </tbody> </table> </dd> </dl> </dd> </dl> </li> <li><dl class="element" id="element:Group"> <dt id="element:Group"> <!--[element:Group]--><em>element</em> <strong>Group</strong><a class="headerlink" href="#element:Group" title="Permalink to this definition">¶</a></dt> </dt> <dd><p class="first"></p> <p class="last">Type: <a class="reference internal" href="#complexType:SSLCAKeyGroupType"><tt class="docutils literal"><span class="pre">SSLCAKeyGroupType</span></tt></a></p> </dd> </dl> </li> <li><dl class="element" id="element:Client"> <dt id="element:Client"> <!--[element:Client]--><em>element</em> <strong>Client</strong><a class="headerlink" href="#element:Client" title="Permalink to this definition">¶</a></dt> </dt> <dd><p class="first"></p> <p class="last">Type: <a class="reference internal" href="#complexType:SSLCAKeyGroupType"><tt class="docutils literal"><span class="pre">SSLCAKeyGroupType</span></tt></a></p> </dd> </dl> </li> </ul> </dd> </dl> </dd> </dl> </dd> </dl> <dl class="complexType" id="complexType:SSLCAKeyGroupType"> <dt id="complexType:SSLCAKeyGroupType"> <!--[complexType:SSLCAKeyGroupType]--><em>complexType</em> <strong>SSLCAKeyGroupType</strong><a class="headerlink" href="#complexType:SSLCAKeyGroupType" title="Permalink to this definition">¶</a></dt> </dt> <dd><blockquote class="first"> <div>An <strong>SSLCAKeyGroupType</strong> is a tag used to provide logic. Child entries of an SSLCAKeyGroupType tag only apply to machines that match the condition specified – either membership in a group, or a matching client name. <a class="reference internal" href="#attribute:SSLCAKeyGroupType:negate"><tt class="xref xml xml-attribute docutils literal"><span class="pre">negate</span></tt></a> can be set to negate the sense of the match.</div></blockquote> <dl class="last docutils"> <dt>Attributes:</dt> <dd><table border="1" class="first last docutils"> <colgroup> <col width="10%" /> <col width="50%" /> <col width="20%" /> <col width="10%" /> <col width="10%" /> </colgroup> <thead valign="bottom"> <tr class="row-odd"><th class="head">Name</th> <th class="head">Description</th> <th class="head">Values</th> <th class="head">Required</th> <th class="head">Default</th> </tr> </thead> <tbody valign="top"> <tr class="row-even"><td><span class="target" id="attribute:SSLCAKeyGroupType:name"></span><tt class="docutils literal"><span class="pre">name</span></tt></td> <td><blockquote class="first last"> <div>The name of the client or group to match on. Child entries will only apply to this client or group (unless <a class="reference internal" href="#attribute:SSLCAKeyGroupType:negate"><tt class="xref xml xml-attribute docutils literal"><span class="pre">negate</span></tt></a> is set).</div></blockquote> </td> <td><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></td> <td>No</td> <td>None</td> </tr> <tr class="row-odd"><td><span class="target" id="attribute:SSLCAKeyGroupType:negate"></span><tt class="docutils literal"><span class="pre">negate</span></tt></td> <td><blockquote class="first last"> <div>Negate the sense of the match, so that child entries only apply to a client if it is not a member of the given group or does not have the given name.</div></blockquote> </td> <td><tt class="docutils literal"><span class="pre">true</span></tt> | <tt class="docutils literal"><span class="pre">false</span></tt></td> <td>No</td> <td>None</td> </tr> </tbody> </table> </dd> <dt>Child elements:</dt> <dd><ul class="first last simple"> <li><a class="reference internal" href="#element:Key"><tt class="docutils literal"><span class="pre">Key</span></tt></a></li> <li><a class="reference internal" href="../../info.html#element:Group"><tt class="docutils literal"><span class="pre">Group</span></tt></a></li> <li><a class="reference internal" href="../../info.html#element:Client"><tt class="docutils literal"><span class="pre">Client</span></tt></a></li> </ul> </dd> </dl> </dd> </dl> <div class="section" id="id2"> <h4>Example<a class="headerlink" href="#id2" title="Permalink to this headline">¶</a></h4> <div class="highlight-xml"><div class="highlight"><pre><span class="nt"><KeyInfo></span> <span class="nt"><Group</span> <span class="na">name=</span><span class="s">"fast"</span><span class="nt">></span> <span class="nt"><Key</span> <span class="na">type=</span><span class="s">"rsa"</span> <span class="na">bits=</span><span class="s">"1024"</span><span class="nt">/></span> <span class="nt"></Group></span> <span class="nt"><Group</span> <span class="na">name=</span><span class="s">"secure"</span><span class="nt">></span> <span class="nt"><Key</span> <span class="na">type=</span><span class="s">"rsa"</span> <span class="na">bits=</span><span class="s">"4096"</span><span class="nt">/></span> <span class="nt"></Group></span> <span class="nt"></KeyInfo></span> </pre></div> </div> </div> </div> </div> <div class="section" id="automated-bcfg2-ssl-authentication"> <h2>Automated Bcfg2 SSL Authentication<a class="headerlink" href="#automated-bcfg2-ssl-authentication" title="Permalink to this headline">¶</a></h2> <p>This section describes one possible scenario for automating ssl certificate generation and distribution for bcfg2 client/server communication using SSLCA. The process involves configuring a certificate authority (CA), generating the CA cert and key pair, configuring the bcfg2 SSLCA plugin and a Bundle to use the SSLCA generated certs to authenticate the bcfg2 client and server.</p> <div class="section" id="openssl-ca"> <h3>OpenSSL CA<a class="headerlink" href="#openssl-ca" title="Permalink to this headline">¶</a></h3> <p>If you already have a SSL CA available you can skip this section, otherwise you can easily build one on the server using openssl. The paths should be adjusted to suite your preferences.</p> <ol class="arabic"> <li><p class="first">Prepare the directories and files:</p> <div class="highlight-python"><pre>mkdir -p /etc/pki/CA/newcerts mkdir /etc/pki/CA/crl echo '01' > /etc/pki/CA/serial touch /etc/pki/CA/index.txt touch /etc/pki/CA/crlnumber</pre> </div> </li> <li><p class="first">Edit the <tt class="docutils literal"><span class="pre">openssl.cnf</span></tt> config file, and in the <strong>[ CA_default ]</strong> section adjust the following parameters:</p> <div class="highlight-python"><pre>dir = /etc/pki # Where everything is kept certs = /etc/pki/CA/certs # Where the issued certs are kept database = /etc/pki/CA/index.txt # database index file. new_certs_dir = /etc/pki/CA/newcerts # default place for new certs. certificate = /etc/pki/CA/certs/bcfg2ca.crt # The CA certificate serial = /etc/pki/CA/serial # The current serial number crl_dir = /etc/pki/CA/crl # Where the issued crl are kept crlnumber = /etc/pki/CA/crlnumber # the current crl number crl = /etc/pki/CA/crl.pem # The current CRL private_key = /etc/pki/CA/private/bcfg2ca.key # The private key</pre> </div> </li> <li><p class="first">Create the CA root certificate and key pair. You’ll be asked to supply a passphrase, and some organizational info. The most important bit is <strong>Common Name</strong> which you should set to be the hostname of your bcfg2 server that your clients will see when doing a reverse DNS query on it’s ip address.:</p> <div class="highlight-python"><pre>openssl req -new -x509 -extensions v3_ca -keyout bcfg2ca.key \ -out bcfg2ca.crt -days 3650</pre> </div> </li> <li><p class="first">Move the generated cert and key to the locations specified in <tt class="docutils literal"><span class="pre">openssl.cnf</span></tt>:</p> <div class="highlight-python"><pre>mv bcfg2ca.key /etc/pki/CA/private/ mv bcfg2ca.crt /etc/pki/CA/certs/</pre> </div> </li> </ol> <p>Your self-signing CA is now ready to use.</p> </div> <div class="section" id="bcfg2"> <h3>Bcfg2<a class="headerlink" href="#bcfg2" title="Permalink to this headline">¶</a></h3> <div class="section" id="id3"> <h4>SSLCA<a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h4> <p>The SSLCA plugin was not designed specifically to manage bcfg2 client/server communication though it is certainly able to provide certificate generation and management services for that purpose. You’ll need to configure the <strong>SSLCA</strong> plugin to serve the key, and certificate paths that we will define later in our client’s <tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt> file.</p> <p>The rest of these instructions will assume that you’ve configured the <strong>SSLCA</strong> plugin as described above and that the files <tt class="docutils literal"><span class="pre">SSLCA/etc/pki/tls/certs/bcfg2client.crt/cert.xml</span></tt> and <tt class="docutils literal"><span class="pre">SSLCA/etc/pki/tls/private/bcfg2client.key/key.xml</span></tt> represent the cert and key paths you want generated for SSL auth.</p> </div> <div class="section" id="client-bundle"> <h4>Client Bundle<a class="headerlink" href="#client-bundle" title="Permalink to this headline">¶</a></h4> <p>To automate the process of generating and distributing certs to the clients we need define at least the Cert and Key paths served by the SSLCA plugin, as well as the ca certificate path in a Bundle. For example:</p> <div class="highlight-xml"><div class="highlight"><pre><span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/pki/tls/certs/bcfg2ca.crt'</span><span class="nt">/></span> <span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/pki/tls/bcfg2client.crt'</span><span class="nt">/></span> <span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/pki/tls/private/bcfg2client.key'</span><span class="nt">/></span> </pre></div> </div> <p>Here’s a more complete example bcfg2-client bundle:</p> <div class="highlight-xml"><div class="highlight"><pre><span class="nt"><Bundle</span> <span class="na">name=</span><span class="s">'bcfg2-client'</span><span class="nt">></span> <span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/bcfg2.conf'</span><span class="nt">/></span> <span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/cron.d/bcfg2-client'</span><span class="nt">/></span> <span class="nt"><Package</span> <span class="na">name=</span><span class="s">'bcfg2'</span><span class="nt">/></span> <span class="nt"><Service</span> <span class="na">name=</span><span class="s">'bcfg2'</span><span class="nt">/></span> <span class="nt"><Group</span> <span class="na">name=</span><span class="s">'rpm'</span><span class="nt">></span> <span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/sysconfig/bcfg2'</span><span class="nt">/></span> <span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/pki/tls/certs/bcfg2ca.crt'</span><span class="nt">/></span> <span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/pki/tls/certs/bcfg2client.crt'</span><span class="nt">/></span> <span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/pki/tls/private/bcfg2client.key'</span><span class="nt">/></span> <span class="nt"></Group></span> <span class="nt"><Group</span> <span class="na">name=</span><span class="s">'deb'</span><span class="nt">></span> <span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/default/bcfg2'</span> <span class="na">altsrc=</span><span class="s">'/etc/sysconfig/bcfg2'</span><span class="nt">/></span> <span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/ssl/certs/bcfg2ca.crt'</span> <span class="na">altsrc=</span><span class="s">'/etc/pki/tls/certs/bcfg2ca.crt'</span><span class="nt">/></span> <span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/ssl/certs/bcfg2client.crt'</span> <span class="na">altsrc=</span><span class="s">'/etc/pki/tls/certs/bcfg2client.crt'</span><span class="nt">/></span> <span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/ssl/private/bcfg2client.key'</span> <span class="na">altsrc=</span><span class="s">'/etc/pki/tls/private/bcfg2client.key'</span><span class="nt">/></span> <span class="nt"></Group></span> <span class="nt"></Bundle></span> </pre></div> </div> <p>In the above example we told Bcfg2 that it also needs to serve <tt class="docutils literal"><span class="pre">/etc/bcfg2.conf</span></tt>. This is optional but convenient.</p> <p>The <tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt> client config needs at least 5 parameters set for SSL auth.</p> <ol class="arabic simple"> <li><tt class="docutils literal"><span class="pre">key</span></tt> : This is the host specific key that SSLCA will generate.</li> <li><tt class="docutils literal"><span class="pre">certificate</span></tt> : This is the host specific cert that SSLCA will generate.</li> <li><tt class="docutils literal"><span class="pre">ca</span></tt> : This is a copy of your CA certificate. Not generated by SSLCA.</li> <li><tt class="docutils literal"><span class="pre">user</span></tt> : Usually set to fqdn of client. This <em>shouldn’t</em> be required but is as of 1.3.0. See: <a class="reference external" href="http://trac.mcs.anl.gov/projects/bcfg2/ticket/1019">http://trac.mcs.anl.gov/projects/bcfg2/ticket/1019</a></li> <li><tt class="docutils literal"><span class="pre">password</span></tt> : Set to arbitrary string when using certificate auth. This also <em>shouldn’t</em> be required. See: <a class="reference external" href="http://trac.mcs.anl.gov/projects/bcfg2/ticket/1019">http://trac.mcs.anl.gov/projects/bcfg2/ticket/1019</a></li> </ol> <p>Here’s what a functional <strong>[communication]</strong> section in a <tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt> genshi template for clients might look like.:</p> <div class="highlight-python"><pre>[communication] protocol = xmlrpc/ssl {% if metadata.uuid != None %}\ user = ${metadata.uuid} {% end %}\ password = DUMMYPASSWORDFORCERTAUTH {% choose %}\ {% when 'rpm' in metadata.groups %}\ certificate = /etc/pki/tls/certs/bcfg2client.crt key = /etc/pki/tls/private/bcfg2client.key ca = /etc/pki/tls/certs/bcfg2ca.crt {% end %}\ {% when 'deb' in metadata.groups %}\ certificate = /etc/ssl/certs/bcfg2client.crt key = /etc/ssl/private/bcfg2client.key ca = /etc/ssl/certs/bcfg2ca.crt {% end %}\ {% end %}\</pre> </div> <p>As a client will not be able to authenticate with certificates it does not yet posses we need to overcome the chicken and egg scenario the first time we try to connect such a client to the server. We can do so using password based auth to boot strap the client manually specifying all the relevant auth parameters like so:</p> <div class="highlight-python"><pre>bcfg2 -qv -S https://fqdn.of.bcfg2-server:6789 -u fqdn.of.client \ -x SUPER_SECRET_PASSWORD</pre> </div> <p>If all goes well the client should recieve a freshly generated key and cert and you should be able to run <tt class="docutils literal"><span class="pre">bcfg2</span></tt> again without specifying the connection parameters.</p> <p>If you do run into problems you may want to review <a class="reference internal" href="../../../appendix/guides/authentication.html#appendix-guides-authentication"><em>Authentication</em></a>.</p> </div> </div> </div> <div class="section" id="todo"> <h2>TODO<a class="headerlink" href="#todo" title="Permalink to this headline">¶</a></h2> <ol class="arabic simple"> <li>Add generation of pkcs12 format certs</li> </ol> </div> </div> </div> </div> </div> <div class="sphinxsidebar"> <div class="sphinxsidebarwrapper"> <h3><a href="../../../index.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">SSLCA</a><ul> <li><a class="reference internal" href="#getting-started">Getting started</a></li> <li><a class="reference internal" href="#configuration">Configuration</a><ul> <li><a class="reference internal" href="#bcfg2-conf">bcfg2.conf</a></li> <li><a class="reference internal" href="#cert-xml">cert.xml</a><ul> <li><a class="reference internal" href="#example">Example</a></li> </ul> </li> <li><a class="reference internal" href="#key-xml">key.xml</a><ul> <li><a class="reference internal" href="#id2">Example</a></li> </ul> </li> </ul> </li> <li><a class="reference internal" href="#automated-bcfg2-ssl-authentication">Automated Bcfg2 SSL Authentication</a><ul> <li><a class="reference internal" href="#openssl-ca">OpenSSL CA</a></li> <li><a class="reference internal" href="#bcfg2">Bcfg2</a><ul> <li><a class="reference internal" href="#id3">SSLCA</a></li> <li><a class="reference internal" href="#client-bundle">Client Bundle</a></li> </ul> </li> </ul> </li> <li><a class="reference internal" href="#todo">TODO</a></li> </ul> </li> </ul> <h4>Previous topic</h4> <p class="topless"><a href="sshbase.html" title="previous chapter">SSHbase</a></p> <h4>Next topic</h4> <p class="topless"><a href="tcheetah.html" title="next chapter">TCheetah</a></p> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../../../_sources/server/plugins/generators/sslca.txt" rel="nofollow">Show Source</a></li> </ul> <div id="searchbox" style="display: none"> <h3>Quick search</h3> <form class="search" action="../../../search.html" method="get"> <input type="text" name="q" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> <p class="searchtip" style="font-size: 90%"> Enter search terms or a module, class or function name. </p> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <div class="clearer"></div> </div> <div class="related"> <h3>Navigation</h3> <ul> <li class="right" style="margin-right: 10px"> <a href="../../../genindex.html" title="General Index" >index</a></li> <li class="right" > <a href="../../../py-modindex.html" title="Python Module Index" >modules</a> |</li> <li class="right" > <a href="tcheetah.html" title="TCheetah" >next</a> |</li> <li class="right" > <a href="sshbase.html" title="SSHbase" >previous</a> |</li> <li><a href="../../../index.html">home</a> | </li> <!--<li><a href="../../../search.html">search</a> | </li>--> <li><a href="../../../help/index.html">help</a> | </li> <li><a href="../../../contents.html">documentation </a> »</li> <li><a href="../../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li> <li><a href="../../index.html" >The Bcfg2 Server</a> »</li> <li><a href="../index.html" >Plugins</a> »</li> </ul> </div> <div class="footer"> © Copyright 2009-2013, Narayan Desai. Last updated on Mar 20, 2013. Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.1.3. </div> </body> </html>