Hi folks,
I've written a simple "koji-ssl-admin" utility: https://pagure.io/koji-tools/pull-request/19
The current Koji Server Howto guide includes a lot of steps to run openssl by hand, and I find I make mistakes easily in this area.
This tool makes it trivial to generate the required SSL keys, CSRs, and CA to set up a Koji environment. It has opinionated settings, like fixed, safe key sizes so you can get up and running out of the box quickly.
You can use this to create your own Koji-specific CA and sign HTTPS certs and user certs, or you can just generate the CSRs to submit to an official CA later.
This generates the certs with single commands and predictable filenames, so it's easy to wrap this with scripts or config management systems like Ansible.
Here are the sub-commands:
$ koji-ssl-admin --help usage: koji-ssl-admin [-h] {server-csr,user-csr,new-ca,sign} ...
Common Koji SSL admin operations:
1) Generate a server key and CSR for HTTPS on kojihub or kojiweb. You will pass this CSR (cert signing request) to a master CA for signing. You will need these even if you use Kerberos authentication. You will also need these regardless if you use an external CA or a testing one that you generate with this tool.
2) Generate a user account key and CSR. You will pass this CSR (cert signing request) to a master CA for signing. You only need these if you use SSL cert authentication (not Kerberos). These might be usable with an external CA if you have one.
3) Generate a new master CA. You only need this if you don't have an external CA in your environment that can sign CSRs. (For example, in a testing environment.) Generates new "koji-ca.key" and "koji-ca.crt" files. The CA is valid for ten years from today.
4) Sign a CSR for a user or server with a master CA. Like "master CA" above, you only need this if you don't have an external CA in your environment. (For example, in a testing environment.) You can use this to sign server certs or user certs with your CA.
Never share the .key files or post them in a public location.
positional arguments: {server-csr,user-csr,new-ca,sign} server-csr Generate a new server key and CSR for an HTTPS server(eg. kojihub or kojiweb). user-csr Generate a new key and CSR for a koji user account. new-ca Generate a new self-signed SSL CA to sign CSRs. sign Sign a CSR with our Koji CA.
optional arguments: -h, --help show this help message and exit
On Thu, Dec 20, 2018 at 11:59 AM Ken Dreyer ktdreyer@ktdreyer.com wrote:
Hi folks,
I've written a simple "koji-ssl-admin" utility:
https://pagure.io/koji-tools/pull-request/19
The current Koji Server Howto guide includes a lot of steps to run openssl by hand, and I find I make mistakes easily in this area.
This tool makes it trivial to generate the required SSL keys, CSRs, and CA to set up a Koji environment. It has opinionated settings, like fixed, safe key sizes so you can get up and running out of the box quickly.
You can use this to create your own Koji-specific CA and sign HTTPS certs and user certs, or you can just generate the CSRs to submit to an official CA later.
This generates the certs with single commands and predictable filenames, so it's easy to wrap this with scripts or config management systems like Ansible.
This is awesome! Thanks for making this!
On 12/20/18 12:00 PM, Neal Gompa wrote:
On Thu, Dec 20, 2018 at 11:59 AM Ken Dreyer ktdreyer@ktdreyer.com wrote:
Hi folks,
I've written a simple "koji-ssl-admin" utility:
https://pagure.io/koji-tools/pull-request/19
The current Koji Server Howto guide includes a lot of steps to run openssl by hand, and I find I make mistakes easily in this area.
This tool makes it trivial to generate the required SSL keys, CSRs, and CA to set up a Koji environment. It has opinionated settings, like fixed, safe key sizes so you can get up and running out of the box quickly.
You can use this to create your own Koji-specific CA and sign HTTPS certs and user certs, or you can just generate the CSRs to submit to an official CA later.
This generates the certs with single commands and predictable filenames, so it's easy to wrap this with scripts or config management systems like Ansible.
This is awesome! Thanks for making this!
Ditto! I ran into many of the same problems and went for the same solution. My script was quirky and I never got around to making it better behaved. I got the certs I needed and moved on and now fear that tool. That was for $JOB_KOJI. For $HOME_KOJI I went another approach and used the wonderful xca tool and made templates for hub, web, user, etc. but any tools here help. It was the single most frustrating thing for me getting Koji up and running the first time. The upside is I got very comfortable with X.509.
koji-devel@lists.stg.fedorahosted.org