{"id":18579228,"url":"https://github.com/faust64/pkidistributor","last_synced_at":"2025-05-16T02:13:08.413Z","repository":{"id":76091584,"uuid":"74891660","full_name":"faust64/PKIdistributor","owner":"faust64","description":"Certificates \u0026 Private Keys distribution, based on trusted network and DNS","archived":false,"fork":false,"pushed_at":"2019-05-26T04:42:55.000Z","size":8,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-02-17T15:51:48.317Z","etag":null,"topics":["certificate","distribution","dns","pki","ptr-records","webserver"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/faust64.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-11-27T14:10:20.000Z","updated_at":"2020-02-05T00:49:00.000Z","dependencies_parsed_at":"2023-05-22T11:00:20.742Z","dependency_job_id":null,"html_url":"https://github.com/faust64/PKIdistributor","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/faust64%2FPKIdistributor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/faust64%2FPKIdistributor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/faust64%2FPKIdistributor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/faust64%2FPKIdistributor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/faust64","download_url":"https://codeload.github.com/faust64/PKIdistributor/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254453625,"owners_count":22073618,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate","distribution","dns","pki","ptr-records","webserver"],"created_at":"2024-11-06T23:39:32.535Z","updated_at":"2025-05-16T02:13:08.395Z","avatar_url":"https://github.com/faust64.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"PKImgr - a NodeJS\u0026express.js based service, distributing certificates and keys\n==============================================================================\n\nAssuming your DNS databases are properly configured, your local hosts should have their own PTR record.\nPKImgr allows you to install both certiicates and keys to your servers by downloading them directly from your PKI server. Any host may query for the files corresponding to its PTR record, and nothing else.\n\nI've been using it with puppet. Integration with ansible could be done with `get_url` plugin. It could be usefull in any configuration deployment solution, or scripts you could use installing a new host.\n\nContent\n-------\n - `app.js` goes pretty much anywhere. Should be run as a service.\n - `package.json` should be in the same directory as `app.js`, prior to running `npm install`\n\nInstallation Instructions\n-------------------------\n\nFor detailed installation instructions, check out [https://gitlab.unetresgrossebite.com/DevOps/puppet/tree/master/modules/pki/](my PKI puppet module)\n\nShort version (jessie/xenial)\n\n```\n# apt-get update\n# apt-get install nodejs nginx\n# ln -sf /usr/bin/nodejs /usr/bin/node\n# apt-get install npm\n# npm install -g pm2\n# mkdir /var/log/pm2 /etc/nginx/sites-enabled \\\n    /etc/nginx/sites-available /etc/nginx/ssl\n# systemctl stop nginx\n# adduser pm2RuntimeUser\n# chown pm2RuntimeUser /var/log/pm2\n# pm2 startup systemd --hp /home/pm2RuntimeUser/.pm2 -u pm2RuntimeUser \u003e/dev/null 2\u003e\u00261\n# cd /path/to/PKIdistributor\n# npm install\n# su -l pm2RuntimeUser -s /bin/bash\n$ export PKI_ROOT=/path/to/pki/root\n$ export LISTEN_PORT=8080\n$ pm2 start ./app.js --name PKIdistributor -i 2 \\\n    --output /var/log/pm2/stdout.log \\\n    --error /var/log/pm2/stderr.log\n$ pm2 save\n$ exit\n# cd /etc/nginx/ssl\n# openssl dhparam -out dh.pem 4096\n# openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes -subj \"/CN=pki.example.com\"\n# chmod 0640 server.key dh.pem\n# chmod 0644 server.crt\n# cat \u003c\u003cEOF \u003e/etc/nginx/sites-available/pki.conf\nserver {\n    listen 80;\n    server_name pki.example.com;\n    server_tokens off;\n    error_log /var/log/nginx/error-pki.example.com.log;\n    access_log /var/log/nginx/access-pki.example.com.log main;\n    add_header Content-Security-Policy \"default-src 'self'; style-src 'none'; script-src 'self'; img-src 'none'; font-src 'none'; frame-src 'none'; object-src 'none'; report-uri https://example.report-uri.io/r/default/csp/enforce\";\n    add_header X-Frame-Options DENY;\n    add_header X-Content-Type-Options nosniff;\n    add_header X-XSS-Protection \"1; mode=block\";\n    root /var/www;\n    location / {\n\ttry_files $uri $uri/ /index.html =404;\n    }\n}\n\nserver {\n    listen 443;\n    server_name pki.example.com;\n    server_tokens off;\n    error_log /var/log/nginx/ssl-error-pki.example.com.log;\n    access_log /var/log/nginx/ssl-access-pki.example.com.log main;\n    ssl on;\n    ssl_ciphers \"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\";\n    ssl_protocols TLSv1.2;\n    ssl_prefer_server_ciphers on;\n    ssl_session_cache shared:SSL:10m;\n    add_header Content-Security-Policy \"default-src 'self'; style-src 'none'; script-src 'self'; img-src 'none'; font-src 'none'; frame-src 'none'; object-src 'none'; report-uri https://example.report-uri.io/r/default/csp/enforce\";\n    add_header Strict-Transport-Security \"max-age=63072000; includeSubdomains; preload\";\n    add_header X-Frame-Options DENY;\n    add_header X-Content-Type-Options nosniff;\n    add_header X-XSS-Protection \"1; mode=block\";\n    ssl_certificate /etc/nginx/ssl/server-full.crt;\n    ssl_certificate_key /etc/nginx/ssl/server.key;\n    ssl_dhparam /etc/nginx/ssl/dh.pem;\n    root /var/www;\n    location /certificate/ {\n\tproxy_redirect off;\n\tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n\tproxy_pass http://PKIdistrib/certificate/;\n    }\n    location /key/ {\n\tproxy_redirect off;\n\tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n\tproxy_pass http://PKIdistrib/key/;\n    }\n    location / {\n\ttry_files $uri $uri/ /index.html =404;\n    }\n}\nEOF\n# cat \u003c\u003cEOF \u003e/etc/nginx/nginx.conf\nuser www-data;\nworker_processes 4;\npid /var/run/nginx.pid;\n\nevents {\n    worker_connections 768;\n}\n\nhttp {\n    sendfile off;\n    tcp_nopush on;\n    tcp_nodelay on;\n    server_names_hash_bucket_size 64;\n    keepalive_timeout 25;\n    server_tokens off;\n    include /etc/nginx/mime.types;\n    log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n\t\t    '$status $body_bytes_sent \"$http_referer\" '\n\t\t    '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n    default_type application/octet-stream;\n    access_log /var/log/nginx/access.log main;\n    error_log /var/log/nginx/error.log;\n    gzip on;\n    gzip_disable \"msie6\";\n    include /etc/nginx/sites-enabled/*.conf;\n}\nEOF\n# ln -sf /etc/nginx/sites-available/pki.conf /etc/nginx/sites-enabled/\n# nginx -t \u0026\u0026 systemctl start nginx\n```\n\nObviously\n---------\nThis service shouldn't be exposed as is. Keep it behind any SSL capable proxy.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffaust64%2Fpkidistributor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffaust64%2Fpkidistributor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffaust64%2Fpkidistributor/lists"}