blob: 1c6bef7af8a86c4abd6d1cdd2f2fe88ad68200ec (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
All paths assume default configs
autosign = no
listen_addr =
listen_port = 51235
cadir = /etc/pki/certmaster/ca
cert_dir = /etc/pki/certmaster
certroot = /var/lib/certmaster/certmaster/certs
csrroot = /var/lib/certmaster/certmaster/csrs
cert_extension = cert
Certmaster starts up first time
certmaster creates a CA cert.
1. Makes a keypair in the cadir /etc/pki/certmaster/ca/certmaster.key.
This is a 2048 bit RSA private key stored in PEM format.
2. A Certificate Signing Request is created and signed by the private key in
/etc/pki/certmaster/certmaster.key
3. An X509 cert object is created. It's serial number is set based on the
contents of /etc/pki/certmaster/ca/serial.txt. The CN and other info is
from the CSR created in step 2. This includes it's pubkey.
4. A PEM formated CA cert is written to /etc/pki/certmaster/ca/certmaster.crt. It
is signed by the private key created in step 1.
certmaster daemon starts up and waits for connections from minions. minions
know where the certmater is based on the "certmaster" setting in /etc/certmaster/minion.conf.
On the Minion (funcd startup) first time.
1. funcd create a private key for the minion. This file is in /etc/pki/certmaster/HOSTNAME.pem.
This is also a 2048 but RSA private key stored in PEM format.
2. A Certificate Signing Request is created and stored in /etc/pki/certmaster/HOSTNAME.csr
This is signed by the private key (/etc/pki/certmaster/HOSTNAME.pem created in step 1)
This file is also in PEM format.
3. funcd submits the CSR created in step 2 to the certmaster. It does this by passing the
contents of the csr to the xmlrpc funtion wait_for_cert() on the certmaster.
On The certmaster after it gets a cert signing request
When the certmaster get a wait_for_cert() call with a csr as the data
1. The certmaster loads the CSR (transmited in PEM format).
2. It determines the hostname of the system thats requesting the cert based on the
value of the CN of the signing request. Note that this may be different than the hostname
the request resolves to on the certmaster, depending on network/dns/etc config.
3. Certmaster checks to see if a cert for that hosts already exist. The csr and signed certs
for the host are stored on the certmaster in /etc/pki/certmaster/HOSTNAME.csr and /etc/pki/certmaster/HOSTNAME.cert
If the cert exists already, the request is ignored. If it exist but doesnt match the new request, a fault is raised.
4. The csr request is stored on disk by the certmaster in /etc/pki/certmaster/HOSTNAME.csr in PEM format.
(note: if autosigned is turned on, the request is signed and retured to the host as described later)
If the csr is not autosigned, the certmaster returns false to the minion, and the minion will retry
later.
On the certmaster host after a minion has made a cert request
If manual interventions is required to sign a cert (as is the default), the admin of the certmaster
must signed the csrs with the "certmaster-ca" utility.
"certmaster-ca --sign HOSTNAME" will sign the csr.
The signing process is:
1. The CSR is read
2. The hostname is based on the CN of the CSR
3. an X509 object is created with a serial number from /etc/pki/certmater/ca/serial.txt
(this number should increment for every cert signed).
4. The file is written to the certmaster certroot in /var/lib/certmaster/certs/HOSTNAME.cert
On the minion after the cert is signed
If the minion has not received a signed cert, it will request one every 10 seconds.
When the minion does receive a signed cert from the certmaster, it will get the signed cert
(the contents of /var/lib/certmaster/certs/HOSTNAME.cert on the cermaster) and the contents
of the CA request (the contents of /etc/pki/certmaster/ca/certmaster.crt).
The signed cert is saved to /etc/pki/certmaster/HOSTNAME.cert on the minion and the
ca cert is saved to /etc/pki/certmaster/ca.cert.
Then the funcd server will start up. It uses it's private key ("/etc/pki/certmaster/HOSTNAME.pem"
created in minion step 1. It's signed cert ("/etc/pki/certmaster/HOSTNAME.cert") and the
CA cert from the certmaster ("/etc/pki/certmaster/ca.cert")
|
