Skip to content

CA handler for NetGuard Certificate Manager and Insta Certifier

grindsa edited this page Jun 13, 2021 · 9 revisions

Connecting to Insta Certifier

Prerequisites

  • the Certifier needs to have the REST-service activated
  • you have a user and password to access Certifier via REST-Service

Configuration

  • copy the ca_handler into the acme directory
root@rlh:~# cp example/ca_handlers/certifier_ca_handler.py acme/ca_handler.py
  • modify the server configuration (/acme/acme_srv.cfg) and add the following parameters
[CAhandler]
api_host: http://<ip>:<port>
api_user: <user>
api_password: <password>
ca_bundle: <value>
ca_name: <ca_name>
polling_timeout: <seconds>
  • api_host - URL of the Certifier-REST service
  • api_user - REST user
  • api_user_variable - optional - name of the environment variable containing the REST username (a configured api_user parameter in acme_srv.cfg takes precedence)
  • api_password - password for REST user
  • api_password_variable - optional - name of the environment variable containing the password for the REST user (a configured api_password parameter in acme_srv.cfg takes precedence)
  • ca_bundle - optional - certificate bundle needed to validate the server certificate - can be True/False or a filename (default: True)
  • ca_name - name of the CA used to enroll certificates
  • polling_timeout - optional - polling timeout (default: 60s)

Depending on CA policy configuration a CSR may require approval. In such a situation acme2certfier will poll the CA server to check the CSR status. The polling interval can be configured in acme.server.cfg.

You can get the ca_name by running the following REST call against certifier.

root@rlh:~# curl -u '$api_user':'$api_password' $api_host'/v1/cas

The response to this call will show a dictionary containing the list of CAs including description and name. Pick the value in the "name" field.

  "offset": 0,
  "limit": 50,
  "totalCount": 3,
  "href": "<url>",
  "cas": [
    {
      "href": "<url>/v1/cas/kQg0moMYAHGyG7jrQeT2Fw",
      "name": "Insta Certifier Internal CA",
      "description": "CA for Certifier internal TLS communication and operational use",
      "status": "active",
      "type": "online",
      "certificates": {
        "active": "<url>/v1/certificates/JPnxc-OqxkXdQt6An2vqnw"
      }
    },
    {
      "href": ""<url>/v1/cas/PnOBdgHSiz5c1sR0MsZMtw",
      "name": "ca_name",
      "description": "Test CA for acme2certfier",
      "status": "active",
      "type": "online",
      "certificates": {
        "active": "<url>/v1/certificates/Ur-YAdXw6S8ddGl7ITVTjA"
      }
    }
  ]
}

CA policy configuration

A csr generated by certbot client does not contain any subject name. Such csr will be refused by Certifier. To overcome this, you need a CA policy as below setting a subject name.

(policy
  (receive-request
    (set-validity-period
      (null)
      (length 30)
      (type 86400)
      (end-of-day #f)
      (overwrite #t))
    (issue-automatic
      (null)
      (mode all))
    (issue-manual
      (null)))
  (accept-request
    (conditional-policy
      (null)
      (clause
        (test
          (module match-subject-name)
          (match-subject-name
            (null)
            (pattern)
            (prefix #f)
            (invert-match #f)))
        (chain
          (set-subject-name
            (null)
            (format "CN=%{altname:dns}")))))
    (set-validity-period
      (null)
      (length 1)
      (type 2592000)
      (end-of-day #t)
      (overwrite #t))
    (add-aia
      (null)
      (url http://aia_path/))
    (set-crl-distribution-point
      (null))
    (accept-all
      (null)))
  (view-request
    (accept-all
      (null)))
  (update-request
    (accept-all
      (null))))

IMPORTANT: the above policy will configure a certificate lifetime of 30 days only. Please review carefully and modify according to your needs.

Clone this wiki locally