Skip to content
/ serverPKI Public

Python PKI for internet server infrastructure - unattended cert issuance and distribution

serverpki.readthedocs.io

License

View license
6 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mc3/serverPKI

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

330 Commits
docs
docs
 
 
install
install
 
 
serverPKI
serverPKI
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
CHANGELOG.rst
CHANGELOG.rst
 
 
LICENSE.txt
LICENSE.txt
 
 
README.rst
README.rst
 
 
operate_serverPKI
operate_serverPKI
 
 
setup.py
setup.py
 
 

Repository files navigation

serverPKI

Latest Version Latest Docs
serverPKI:Python PKI for internet server infrastructure
Copyright:Copyright (c) 2015-2020 Axel Rau axel.rau@chaos1.de
License:GPLv3
Homepage:https://github.com/mc3/serverPKI
Documentation:https://serverpki.readthedocs.io

What

serverPKI is a tool to issue, renew and distribute SSL certificates for internet servers. Distribution to target hosts and reloading of server configuration is done via ssh/sftp. Configuration and cert/key data is stored in a relational database.

serverPKI includes support for

  • local CA
  • LetsEncrypt CA (supports only acme v2 api, see https://letsencrypt.org/docs)
  • FreeBSD service jails via ssh access to host
  • publishing of DANE RR in DNS, using BIND 9 and TLSA key rollover (see RFC 6698)
  • controlling DNS zone info for LetsEncrypt challenges und TLSA RR via dynamic DNS updates (recommended) or via zone files.
  • unattended operation via cronjob
  • extensive logging
  • alerting via mail

Prerequisites

  • PostgreSQL 12+ server
    • The contrib utilities from the PostgreSQL distribution are required (serverPKI needs the citext extension for case insensitive indexes)
    • a DB account with super user privileges [dba] or assistance of a DB admin (serverPKI uses a dedicated DB user [pki_op] and a dedicated DB)
    • authentication record in pg_hba.conf to allow access of pki_op from local host (client cert authentication recommended)
  • PostgreSQL 12+ client installation on local host
  • bind 9 DNS server (9.16+ should be used)
    • If DNS is handled via zone files,
      • serverPKI must be run on the master (hidden primary) DNS server.
      • signed Zones being maintained by serverPKI must be run in auto-dnssec maintain + inline-signing operation mode.
      • Zone files must be writable by serverPKI process to allow publishing of acme_challenges and TLSA resource records for DANE
  • Python 3.7+ must be installed (tested with Python 3.8.3)
  • Running serverPKI in a Python virtual environment is recommended for ease of upgrading. The author uses virtualenvwrapper.

Sponsored

This project is being developed with the powerful Python IDE PyCharm, which is particularly useful during remote debugging sessions. A professional license has been granted by JetBrains, https://www.jetbrains.com/.

About

Python PKI for internet server infrastructure - unattended cert issuance and distribution

serverpki.readthedocs.io

Topics

letsencrypt freebsd cert dane jail ca bind9 rollover autorenew

Resources

Readme

License

View license
Activity

Stars

6 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases

7 tags

Packages

No packages published

Languages