Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/lawndoc/capy

A Certificate Authority microservice that can generate server/client certificates through an API interface
https://github.com/lawndoc/capy

api authentication certificate certificate-authority client-certificate container encryption flask microservice signed ssl ssl-certificates tls tls-certificate x509

Last synced: 26 days ago
JSON representation

A Certificate Authority microservice that can generate server/client certificates through an API interface

Host: GitHub
URL: https://github.com/lawndoc/capy
Owner: lawndoc
License: mit
Created: 2021-04-28T15:43:33.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2023-05-01T23:34:25.000Z (over 1 year ago)
Last Synced: 2024-05-02T03:43:21.716Z (8 months ago)
Topics: api, authentication, certificate, certificate-authority, client-certificate, container, encryption, flask, microservice, signed, ssl, ssl-certificates, tls, tls-certificate, x509
Language: Python
Homepage:
Size: 50.8 KB
Stars: 7
Watchers: 3
Forks: 1
Open Issues: 4
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # CAPy

A Certificate Authority microservice that can generate server/client certificates through an API interface

![Build/Tests](https://github.com/lawndoc/CAPy/actions/workflows/build-test.yml/badge.svg)

[![Codecov](https://codecov.io/gh/lawndoc/CAPy/branch/main/graph/badge.svg)](https://codecov.io/gh/lawndoc/CAPy)

It currently does not provide any kind of authentication mechanism, so NAC and container network configuration are extremely important in deploying this service.

## Functionality

Basic API calls provided:

- GET `/ca/root-trust` -> get root CA certificate for establishing trust

- GET `/ca/host-certificate` -> get new host certificate signed by CA

TODO / Not yet implemented:

- POST `/ca/csr` -> generic certificate signing request (optionally supply own public key)

- POST `/ca/revoke-certificate` -> revoke certificate

- GET `/ca/revoke-certificate` -> check if cert has been revoked

- OCSP server for clients to check if cert has been revoked via OCSP

## Deployment

CAPy requires the following environment variables to run properly:

| Variable Name | Description | Required | Default Value |

| --- | --- | --- | --- |

| CA_NAME | Name of the certificate authority | No | CAPy Root CA |

| CA_CERT_DIR | Directory within the container to save certificates | No | /opt/CAPy/CA |

| PROXY_DOMAIN | Domain that the CA is creating certificates for | Yes | |

| PGID | Container user GID; used for volume file permissions | Yes | |

| PUID | Container user UID; used for volume file permissions | Yes | |

| SECRET_KEY | Secret key for encryption; make sure this value is complex and protected | Yes | |

CAPy also requires a volume mounted at the CA_CERT_DIR location to be able to persist certificates across runs.

The following docker-compose file provides example deployment code:

```

version: "3.9"

services:

  capy:

    container_name: "capy"

    image: ghcr.io/lawndoc/capy:main

    volumes:

      - ./volumes/capy:/opt/CAPy/CA     # make sure this matches CA_CERT_DIR

    networks:

      - backend

    restart: always

    environment:

      CA_NAME: "MyOrg CA"               # optional

      CA_CERT_DIR: "/opt/CAPy/CA"       # optional

      PGID: 1001

      PROXY_DOMAIN: example.com

      PUID: 1000

      SECRET_KEY: ${SECRET_KEY}

networks:

  backend:

```