EasyPKISpec
Launchpad Entry: server-lucid-easy-pki
Created: 2009-11-20
Contributors: ThierryCarrez
Packages affected:
Summary
Provide a new tool to easily manage a public-key infrastructure, for use with server packages shipped in Ubuntu.
Release Note
The new upki tool allows to easily create and deploy certificates and public/private keypairs for use with various server stacks in Ubuntu Server, including openvpn.
Rationale
Several packages make use of SSL certificates and public/private keys. They all tend to ship their own tools (apache2-ssl-certificate for apache2) which sometimes are not packaged in a usable way (easy-rsa for openvpn). Those tools are all different, sometimes only produce self-signed certificates, can be complex and don't handle deployment. So, rather than packaging and shipping a separate tool for each stack, it makes sense to provide a single CLI tool to manage a simple CA that can support all the different package needs.
User stories
- As a openvpn user, I want to generate certificates and keys for my VPN setup. I use upki (with its openvpn plugin) and it creates and deploys the required items for me.
- As an apache2 sysadmin, I want to generate a certificate for my HTTPS website. I use upki (with its apache2 plugin) and it generates a certificate signed by my own local CA.
- As the same apache2 sysadmin, I want to get a certificate for my website that is recognized by default on browsers. I use upki to generate a CSR and send it to the external CA of my choice.
Assumptions
Design
- Python-based
- upki core handles key generation
- service-specific "plugins" expose commands meaningful to that specific service
Implementation
tbd.
Test/Demo Plan
tbd.
Unresolved issues
None.
BoF agenda and discussion
UDS discussion notes
Objectives
- User-friendly interface to certificate generation
- Service-oriented plugins for deployment and service-specific needs
Options
- Package easy-rsa
- Low-cost, but non-extensible
- Not suitable for all use cases (i.e. it has some bias towards OpenVPN use)
- Potentially a worthy goal simply for OpenVPN users, since the current packaging is not ideal
- Upstream designed it from a "run script in CA directory" perspective, will need a delta with upstream to be FHS-compliant
- upki: rewrite easy-rsa in python, same feature set, extensible for, say, publication
- openca
- more complete solution
- upstream not very active but CAcert still contributing to it
Timeframe
- easy-rsa for Lucid (or basic upki)
- upki for the next LTS cycle
Brainstorm
- Wizard mode, that could help in generating a CSR, showing some snippets of config file, etc
- Is there an official group to chown certs to? ie: same cert for Postfix + Apache (yes, ssl-cert)
- How to deal with ssl certs for Apache virtual hosting
- OpenLDAP: need to work with self-signed (add tls_checkpeer and TLS_REQCERT in the ldap.conf file?)
- some kind of notification that certificate will expire in X days
- motd entry, email, nagios/nrpe check
- install easy-pki with openssl (it should be small, so it won't take precious resources)
EasyPKISpec (last edited 2009-12-03 08:47:18 by lns-bzn-48f-81-56-218-246)