Skip to content

mc3/serverPKI

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

330 Commits

docs

docs

 
 

install

install

 
 

serverPKI

serverPKI

 
 

tests

tests

 
 

.gitignore

.gitignore

 
 

CHANGELOG.rst

CHANGELOG.rst

 
 

LICENSE.txt

LICENSE.txt

 
 

README.rst

README.rst

 
 

operate_serverPKI

operate_serverPKI

 
 

setup.py

setup.py

 
 

Repository files navigation

serverPKI

Latest Version

Latest Docs

serverPKI

Python PKI for internet server infrastructure

Copyright

Copyright (c) 2015-2020 Axel Rau axel.rau@chaos1.de

License

GPLv3

Homepage

https://github.com/mc3/serverPKI

Documentation

https://serverpki.readthedocs.io

What

serverPKI is a tool to issue, renew and distribute SSL certificates for internet servers. Distribution to target hosts and reloading of server configuration is done via ssh/sftp. Configuration and cert/key data is stored in a relational database.

serverPKI includes support for

  • local CA
  • LetsEncrypt CA (supports only acme v2 api, see https://letsencrypt.org/docs)
  • FreeBSD service jails via ssh access to host
  • publishing of DANE RR in DNS, using BIND 9 and TLSA key rollover (see RFC 6698)
  • controlling DNS zone info for LetsEncrypt challenges und TLSA RR via dynamic DNS updates (recommended) or via zone files.
  • unattended operation via cronjob
  • extensive logging
  • alerting via mail

Prerequisites

  • PostgreSQL 12+ server
    • The contrib utilities from the PostgreSQL distribution are required (serverPKI needs the citext extension for case insensitive indexes)
    • a DB account with super user privileges [dba] or assistance of a DB admin (serverPKI uses a dedicated DB user [pki_op] and a dedicated DB)
    • authentication record in pg_hba.conf to allow access of pki_op from local host (client cert authentication recommended)
  • PostgreSQL 12+ client installation on local host
  • bind 9 DNS server (9.16+ should be used)
    • If DNS is handled via zone files,
      • serverPKI must be run on the master (hidden primary) DNS server.
      • signed Zones being maintained by serverPKI must be run in auto-dnssec maintain + inline-signing operation mode.
      • Zone files must be writable by serverPKI process to allow publishing of acme_challenges and TLSA resource records for DANE
  • Python 3.7+ must be installed (tested with Python 3.8.3)
  • Running serverPKI in a Python virtual environment is recommended for ease of upgrading. The author uses virtualenvwrapper.

Sponsored

This project is being developed with the powerful Python IDE PyCharm, which is particularly useful during remote debugging sessions. A professional license has been granted by JetBrains, https://www.jetbrains.com/.

About

Python PKI for internet server infrastructure - unattended cert issuance and distribution

serverpki.readthedocs.io

Topics

letsencrypt freebsd cert dane jail ca bind9 rollover autorenew

Resources

Readme

License

View license
Activity

Stars

5 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases

7 tags

Packages

No packages published

Languages