x509 - LCFG Component to manage X509 server certificates
x509 METHOD [ARGS]
An LCFG component that is used to manage X509 server certificates. It generates keys, and gets signed certificates from the sixkts
service, which it also configures and manages.
The non-standard component methods are described below.
Create a public key pair, and a certificate signing request for this service. The signing request generated should be used to obtain a certificate for the service from a certification authority. Note that this authority _must_ sign this request as a CA certificate.
Turn the request generated by the createcsr
method into a self signed certificate, for testing purposes.
The non-standard component resources are described below.
The following resources control the configuration of clients.
A list of tags for keys to be fetched for this client.
The file where the private key for the service should be stored.
The file where the signed certificate for the service should be stored.
The file where the certificate chain should be stored. If this is not specified, the chain is stored in the same file as the certificate. Set the chainfile resource to /dev/null, if you don't wish to receive a chain at all.
The file where the PEM version of the key is stored. This is an 'all-in-one' file, comprising private key, public key and chain concatenated together. As such, it should be used with care - in general storing each component seperately is to be preferred.
The service name that the service runs as. Typically, this should match the nameused by clients to access service. The same value entered here should also be included in the certificates resource (documented below)
A component whose restart method should be called if the keys are changed.
The uid to set the ownership of the generated chain, key and crt files, if not specified will default to root.
The gid to set the group of the generated chain, key and crt files, if not specified will default to root.
If set to the path of a directory will create a hash file in that directory for each certificate in the generated chain file, ownership as per the chain file.
A space seperated list of all certificates used by this service. This should match the contents of all of the service_tag resources, and is required due to limitations in the current LCFG core. The certificates resource is used by the remote SIXKTS server to control which certificates can be obtained by which hosts - failing to list a certificate in this resource is likely to result in the server refusing to sign the certificate.
In addition to certificate names, the certificates resource may also contain options for each certificate. These are encoded by postfixing the certificate name with a semicolon (';') character, followed by a comma seperated list of options. The options supported depend on the version of the sixkts service, but currently included:
This indicates that a certificate can be granted to more than one server at a time, and should be used for services which are hosted by multiple machines.
The following resources control the configuration of a SIXKTS server which will sign keys for clients.
If set, indicates that this machine should run a sixkts server.
These resources control the certificate that the sixkts server uses to sign incoming requests. Changing these resources will not affect running services, it will be necessary to destroy the existing certificate to cause changes to occur.
The above resources all control the corresponding portions of the Distinguished Name of the server's X509 certificate.
Redhat7,Redhat9
sixktsclient, sixtsserver
Simon Wilkinson <simon@sxw.org.uk>