Certmeister

Certmeister is a conditionally autosigning Certificate Authority. It was developed for use with the Puppet infrastructure at Hetzner PTY Ltd.

The service will autosign a certificate request when the configurable access policy permits. The reference access policy in use by Hetzner PTY Ltd is:

• the Common Name (CN) of the certificate is in the host-h.net domain,
• the service has no record of already having signed a certificate for that CN, and
• the requesting client IP address has forward confirmed reverse DNS that matches the CN.
• Requests to fetch certificates are always allowed.
• Requests to delete certificates are only allowed when they originate from a secure operator network.

This allows us the convenience of Puppet's autosign feature, without the horrendous security implications.

This repository currently builds three gems:

• certmeister - the CA, some off-the-shelf policy modules and an in-memory cert store
• certmeister-redis - a redis-backed store
• certmeister-rack - a rack application to provide an HTTP interface to the CA

An example, using redis and rack and enforcing Hetzner PTY Ltd's policy, is available in contrib/config.ru.

To hit the service:

$ curl -L \
    -d "psk=secretkey" \
    -d "csr=$(perl -MURI::Escape -e 'print uri_escape(join("", <STDIN>));' < fixtures/client.csr)" \
    http://localhost:9292/ca/certificate/axl.starjuice.net

Testing

Because we test both certmeister and certmeister-redis with rake spec, you need redis up if you want to run the tests. It's easy:

• Install redis-2.8.4 or later.
• Start redis.
• Run tests.
• Stop redis.

sudo yum install -y ansible
sudo ansible-playbook -i contrib/hosts contrib/redis.yml
redis-server --logfile /dev/null &
rake spec
kill %1; wait %1