go>> acm-pca-cert-generator>> 返回
项目作者: dwp

项目描述 :
Automatic creation of TLS certs generated with AWS' ACM PCA service
高级语言: Python
项目地址: git://github.com/dwp/acm-pca-cert-generator.git
创建时间: 2019-05-16T18:56:51Z
项目社区:https://github.com/dwp/acm-pca-cert-generator
开源协议:MIT License
下载


DO NOT USE THIS REPO - MIGRATED TO GITLAB

acm-cert-helper

This contains two related utilities, both of which are detailed below, that work with ACM
and ACM-PCA to make local Keystore and Truststore files.

Testing locally

To run the acm-cert-helper self tests, you will need tox installed:

  1. $ pip install tox
  2. $ tox

Running tox from the root of your git clone will run all the tests.

Note that there is no requirement to have an active ACM or ACM-PCA in your AWS account
for the tests to run; that functionality is stubbed to avoid incurring any
costs when running the tests.

Installing locally from source.

Running tox as above will compile the project. You can also build and install it locally using

  1. $ python setup.py build install

The installation command above will place two commands in your path, acm-cert-retriever and
acm-pca-cert-generator. Each script takes a number of command line arguments, most of
which are mandatory. Alternatively, the same information can be specified using environment variables.

Cleaning outputs locally

Running the following will remove all the local files created by tox, in case you need to tidy up:

  1. rm -rf build dist .tox

Installing from github:

pip install acm-cert-helper

Note that if you only want to dev/test locally, you don’t need to run this.

acm-cert-retriever

acm-cert-retriever generates a Java KeyStore containing a keypair and cert it has fetched
from ACM, and a Java TrustStore containing one or more trusted certificates held on S3.

Pre-Requisites:

The AWS services that call this script need the following permissions:

  • acm-pca:GetCertficate on the ACM data specified in the --acm-key-arn argument
    • e.g. arn:aws:acm:AWS_Region:AWS_Account:certificate/*
  • s3:GetObject on all buckets and objects specified in the --truststore-certs argument
    • e.g. arn:aws:s3:::examplebucket/*

Running

The installation command above will place an acm-cert-retriever command in
your path.
The script takes a number of command line arguments, most of which are mandatory.
Alternatively, the same information can be specified using environment variables:
The help text is the authoritative source for this:

  1. acm-pca-cert-retriever --help

If you want to run from a local git clone, rather than installing using pip
you can run:

python ./src/acm_cert_retriever/retriever.py --help

Example

The following downloads a fictitious key and cert for the Keystore and adds two CAs from s3 to
the Truststore:

  1. acm-cert-retriever \
  2. --acm-cert-arn arn:aws:acm:us-east-1:012345678901:certificate/123a456b-7890-12cd-345e-6f78901f2a34 \
  3. --acm-key-passphrase P4ssw0rd1 \
  4. --keystore-path /tmp/keystore.jks \
  5. --keystore-password P4ssw0rd2 \
  6. --private-key-alias mykey \
  7. --truststore-path /tmp/truststore.jks \
  8. --truststore-password P4ssw0rd3 \
  9. --truststore-aliases ca1,ca2 \
  10. --truststore-certs s3://certbucket/certs/ca_1.pem,s3://certbucket/certs/ca_2.pem

acm-pca-cert-generator

acm-pca-cert-generator generates a Java KeyStore containing a keypair signed
by ACM PCA, and a Java TrustStore containing one or more trusted certificates
held on S3.

Pre-Requisites:

The AWS services that call this script need the following permissions:

  • acm-pca:IssueCertificate on the ACM PCA specified in the --ca-arn argument
    • e.g. arn:aws:acm-pca:AWS_Region:AWS_Account:certificate-authority/*
  • acm-pca:GetCertficate on the ACM PCA specified in the --ca-arn argument
    • e.g. arn:aws:acm-pca:AWS_Region:AWS_Account:certificate-authority/*
  • s3:GetObject on all buckets and objects specified in the --truststore-certs argument
    • e.g. arn:aws:s3:::examplebucket/*

Running

The installation command above will place an acm-pca-cert-generator command in
your path.
The script takes a number of command line arguments, most of which are mandatory.
Alternatively, the same information can be specified using environment variables:
The help text is the authoritative source for this:

  1. acm-pca-cert-generator --help

If you want to run from a local git clone, rather than installing using pip
you can run:

python ./src/acm_pca_cert_generator/certgen.py --help

Example

The following example generates a 2048-bit RSA certificate and has it signed by
an entirely fictitious ACM-PCA:

  1. acm-pca-cert-generator \
  2. --key-type RSA \
  3. --key-length 2048 \
  4. --subject-c "GB" \
  5. --subject-st "Greater London" \
  6. --subject-l "London" \
  7. --subject-o "My Company" \
  8. --subject-ou "IT Department" \
  9. --subject-cn "myfqdn.example.com" \
  10. --subject-emailaddress "me@example.com" \
  11. --ca-arn "arn:aws:acm-pca:us-east-1:012345678901:certificate-authority/123a456b-7890-12cd-345e-6f78901f2a34" \
  12. --signing-algorithm "SHA384WITHRSA" --validity-period=1d \
  13. --keystore-path /tmp/keystore.jks --keystore-password P4ssw0rd1 --private-key-alias mykey \
  14. --truststore-path /tmp/truststore.jks --truststore-password P4ssw0rd2 \
  15. --truststore-aliases ca1,ca2 \
  16. --truststore-certs s3://certbucket/certs/ca_1.pem,s3://certbucket/certs/ca_2.pem

In this example, the certificate is being generated via Terraform instead of
via acm-pca-cert-generator. It is then retrived and placed in the OS
certificate and key stores only, not in a Java KeyStore:

Terraform:

  1. resource "aws_acm_certificate" "tarball_ingestion" {
  2.      certificate_authority_arn = data.terraform_remote_state.certificate_authority.outputs.root_ca.arn
  3.      domain_name               = "${local.tarball_ingestion_name}.${local.env_prefix[local.environment]}dataworks.dwp.gov.uk"
  5.      options {
  6.        certificate_transparency_logging_preference = "DISABLED"
  7.      }
  9.      tags = merge(
  10.        local.common_tags,
  11.        {
  12.          Name = "tarball-ingester-cert"
  13.        },
  14.      )
  15.    }

ACM call:

  1. ACM_KEY_PASSWORD=$(uuidgen -r)
  3. acm-cert-retriever \
  4. --acm-cert-arn "${acm_cert_arn}" \
  5. --acm-key-passphrase "$ACM_KEY_PASSWORD" \
  6. --private-key-alias "private-key" \
  7. --truststore-aliases "ca1, ca2" \
  8. --truststore-certs s3://certbucket/certs/ca_1.pem,s3://certbucket/certs/ca_2.pem >> /var/log/acm-cert-retriever.log 2>&1

The private-key-alias can be any string unique to your deployment.

Container Image

The container image in the same pattern as the standard process. The entrypoint is designed in such a way that you can pass the required parameters via environemnt variables. eg.

  1. environment_variables = jsonencode([
  2.       {
  3.         name  = "LOG_LEVEL",
  4.         value = "DEBUG"
  5.       },
  6.       {
  7.         name  = "ACM_CERT_ARN",
  8.         value = "${data.terraform_remote_state.snapshot_sender.outputs.ss_cert[0].arn}"
  9.       },
  10.       {
  11.         name  = "PRIVATE_KEY_ALIAS",
  12.         value = "${local.environment}"
  13.       },
  14.       {
  15.         name  = "TRUSTSTORE_ALIASES",
  16.         value = "${local.ss_host_truststore_aliases[local.environment]}"
  17.       },
  18.       {
  19.         name  = "TRUSTSTORE_CERTS",
  20.         value = "${local.ss_host_truststore_certs[local.environment]}"
  21.       }
  22.     ])

By running the container as a sidecar, and sharing the same mount point, you can use the container image to retrieve certs for your other containers.

  1. mount_points = jsonencode([
  2.       {
  3.         "container_path" : "/acm-cert-helper",
  4.         "source_volume" : "certs"
  5.       }
  6.     ])

The containers sharing this mount point can install certs from this location.