Amber certificate enrollment tooling
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
maze 17ec4928af vendor: vendorized the deps 1 year ago
cmd/amber Initial import 1 year ago
protocol Initial import 1 year ago
sql Initial import 1 year ago
testdata testdata: include test Vault setup (requires 0.10+) 1 year ago
vendor vendor: vendorized the deps 1 year ago
.gitignore Initial commit 1 year ago
Gopkg.lock vendor: vendorized the deps 1 year ago
Gopkg.toml vendor: vendorized the deps 1 year ago
LICENSE Initial commit 1 year ago
README.md Initial import 1 year ago
amber.conf.example Initial import 1 year ago
config.go Initial import 1 year ago
config_test.go Initial import 1 year ago
handler.go Initial import 1 year ago
handler_acme.go Initial import 1 year ago
handler_scep.go Initial import 1 year ago
issuer.go Initial import 1 year ago
issuer_test.go Initial import 1 year ago
nonce.go Initial import 1 year ago
nonce_test.go Initial import 1 year ago
server.go Initial import 1 year ago
x509.go Initial import 1 year ago

README.md

Amber

Amber is a daemon to provide automatic X.509 Certificate enrollment to various endpoints. It deploys a HTTP server, that, with the help of virtual hosts or paths can serve HTTP-based protocols that can handle the certificate enrollment bits.

Each protocol handler will have a 1:1 mapping to a Certificate Authority profile. To serve multiple Certifificate profiles, either setup multiple virtual paths or virtual hosts.

Certificate Authorities

Amver supports different ways of granting Certificate Signing Requests (CSR) and have them signed by a Certificate Authority (CA). Amber will carry out light-weight checks on the key used to sign the CSR, as well as the names requested, but depends on the policies enforced by the CA for additional checks.

CA: Test

This is a test endpoint that will spin up a self-signed Certificate Authority each time the amber daemon is started. The policy allows any name to be signed. Only suitable for integration tests.

CA: Vault

The Hashicorp Vault PKI backend will be used to request signed certificates. For more details on how to setup Vault as a PKI, refer to the Vault documentation at https://www.vaultproject.io/docs/secrets/pki/index.html

Supported Protocols

Automatic Certificate Management Environment (ACME)

The ACME protocol carries out authorization by requesting proofs of (sub)domain ownerships using HTTP, DNS or TLS-SNI probes. Currently only HTTP probes are supported. When the client requests a certificate, the DNS domain names listed in the Common Name (CN) field as well as the subjectAternativeName (SAN) entries are verified by first issuing a challenge and then based on the client’s public key cryptographically verify the response.

Simple Certificate Enrollment Procotol (SCEP)

The SCEP protocol works with pre-authorizing clients using a pre-shared key (PSK).