Amber certificate enrollment tooling
maze 17ec4928af vendor: vendorized the deps 4 weeks ago
cmd/amber Initial import 4 weeks ago
protocol Initial import 4 weeks ago
sql Initial import 4 weeks ago
testdata testdata: include test Vault setup (requires 0.10+) 4 weeks ago
vendor vendor: vendorized the deps 4 weeks ago
.gitignore Initial commit 1 month ago
Gopkg.lock vendor: vendorized the deps 4 weeks ago
Gopkg.toml vendor: vendorized the deps 4 weeks ago
LICENSE Initial commit 1 month ago
README.md Initial import 4 weeks ago
amber.conf.example Initial import 4 weeks ago
config.go Initial import 4 weeks ago
config_test.go Initial import 4 weeks ago
handler.go Initial import 4 weeks ago
handler_acme.go Initial import 4 weeks ago
handler_scep.go Initial import 4 weeks ago
issuer.go Initial import 4 weeks ago
issuer_test.go Initial import 4 weeks ago
nonce.go Initial import 4 weeks ago
nonce_test.go Initial import 4 weeks ago
server.go Initial import 4 weeks ago
x509.go Initial import 4 weeks ago

README.md

Amber

Amber is a daemon to provide automatic X.509 Certificate enrollment to various endpoints. It deploys a HTTP server, that, with the help of virtual hosts or paths can serve HTTP-based protocols that can handle the certificate enrollment bits.

Each protocol handler will have a 1:1 mapping to a Certificate Authority profile. To serve multiple Certifificate profiles, either setup multiple virtual paths or virtual hosts.

Certificate Authorities

Amver supports different ways of granting Certificate Signing Requests (CSR) and have them signed by a Certificate Authority (CA). Amber will carry out light-weight checks on the key used to sign the CSR, as well as the names requested, but depends on the policies enforced by the CA for additional checks.

CA: Test

This is a test endpoint that will spin up a self-signed Certificate Authority each time the amber daemon is started. The policy allows any name to be signed. Only suitable for integration tests.

CA: Vault

The Hashicorp Vault PKI backend will be used to request signed certificates. For more details on how to setup Vault as a PKI, refer to the Vault documentation at https://www.vaultproject.io/docs/secrets/pki/index.html

Supported Protocols

Automatic Certificate Management Environment (ACME)

The ACME protocol carries out authorization by requesting proofs of (sub)domain ownerships using HTTP, DNS or TLS-SNI probes. Currently only HTTP probes are supported. When the client requests a certificate, the DNS domain names listed in the Common Name (CN) field as well as the subjectAternativeName (SAN) entries are verified by first issuing a challenge and then based on the client's public key cryptographically verify the response.

Simple Certificate Enrollment Procotol (SCEP)

The SCEP protocol works with pre-authorizing clients using a pre-shared key (PSK).