{"id":19852506,"url":"https://github.com/someengineering/fixca","last_synced_at":"2026-01-05T01:14:29.805Z","repository":{"id":196825640,"uuid":"697225270","full_name":"someengineering/fixca","owner":"someengineering","description":"Fix Internal Certification Authority","archived":false,"fork":false,"pushed_at":"2024-07-15T19:40:51.000Z","size":207,"stargazers_count":0,"open_issues_count":4,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-26T04:31:36.626Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://fix.security","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/someengineering.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-09-27T09:55:56.000Z","updated_at":"2024-05-16T14:38:55.000Z","dependencies_parsed_at":null,"dependency_job_id":"8c8dd725-8cff-417b-a060-0fe9172b3110","html_url":"https://github.com/someengineering/fixca","commit_stats":{"total_commits":28,"total_committers":4,"mean_commits":7.0,"dds":0.1428571428571429,"last_synced_commit":"ed9363a969b5644775549050a129338a147be42d"},"previous_names":["someengineering/fixca"],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/someengineering%2Ffixca","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/someengineering%2Ffixca/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/someengineering%2Ffixca/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/someengineering%2Ffixca/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/someengineering","download_url":"https://codeload.github.com/someengineering/fixca/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244759920,"owners_count":20505715,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-12T14:03:11.289Z","updated_at":"2026-01-05T01:14:29.770Z","avatar_url":"https://github.com/someengineering.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# `fixca` - FIX Internal Certificate Authority\n\n## Introduction\n\nFIX CA is the internal Certificate Authority for [FIX](https://fix.tt/). It provides the same interface as [Fix Core's](https://github.com/someengineering/fixinventory/tree/main/fixcore) built-in CA and is used to issue certificates for FIX internal services.\n\nFIX CA stores its CA cert and key in a K8s secret. As such it needs to either run inside a K8s cluster with appropriate permissions or have access to a K8s cluster via `KUBECONFIG`.\n\nThe API is fully compatible with Resoto Core's CA API. I.e. `/ca/cert` to download the CA cert and `/ca/sign` to sign a CSR. Other than Resoto Core JWT authentication can not be turned off and a pre-shared-key is mandatory to sign a CSR.\n\n## Usage\n\n```bash\nusage: fixca [-h] [--psk PSK] [--port PORT] [--namespace NAMESPACE] [--secret SECRET]\n             [--verbose | --trace | --quiet]\n\nFIX Certification Authority\n\noptions:\n  -h, --help            show this help message and exit\n  --psk PSK             Pre-shared-key\n  --port PORT           HTTPS port to listen on (default: 7900)\n  --namespace NAMESPACE\n                        K8s namespace (default: fix)\n  --secret SECRET       Secret name (default: fix-ca)\n  --verbose, -v         Verbose logging\n  --trace               Trage logging\n  --quiet               Only log errors\n```\n\nAlternatively export the following environment variables:\n\n- `FIXCA_PSK`\n- `FIXCA_PORT`\n- `FIXCA_NAMESPACE`\n- `FIXCA_SECRET`\n\nOnly the pre-shared-key is mandatory. The other options have sensible defaults.\n\n## K8s cluster issuer\n\nWhen using [cert-manager](https://cert-manager.io/) to issue certificates for your services you can use the following cluster issuer:\n\n```yaml\napiVersion: cert-manager.io/v1\nkind: ClusterIssuer\nmetadata:\n  name: fix-ca-issuer\n  namespace: cert-manager\nspec:\n  ca:\n    secretName: fix-ca\n```\n\n### Example Certificate\n\n```yaml\napiVersion: cert-manager.io/v1\nkind: Certificate\nmetadata:\n  name: lukas-test-cert\n  namespace: fix\nspec:\n  secretName: lukas-test\n  duration: 2160h # 90d\n  renewBefore: 360h # 15d\n  commonName: lukas.test\n  privateKey:\n    algorithm: RSA\n    encoding: PKCS1\n    size: 2048\n  usages:\n    - server auth\n    - client auth\n  dnsNames:\n    - redis.fix\n  issuerRef:\n    name: fix-ca-issuer\n    group: cert-manager.io\n    kind: ClusterIssuer\n```\n\nCheck the [cert-manager documentation](https://cert-manager.io/docs/usage/certificate/) for more information.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsomeengineering%2Ffixca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsomeengineering%2Ffixca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsomeengineering%2Ffixca/lists"}