A simple service for interacting with an HSM or other PKCS#11 device.
A simple service for interacting with an HSM or other PKCS #11 device. It supports minting and signing of both SSH and x509 certificates. Crypki is the certificate signing backend for the Athenz RBAC system.
You should be able to run crypki server on any linux platform as long as you have crypki binary and .so file. We have tested it on RHEL 7, Debian 9 & Ubuntu 18.04.
Prerequisites:
- Go >= 1.12.1
Run:
go get github.com/yahoo/crypki
go install github.com/yahoo/crypki/cmd/crypkiTo start crypki server clone the repo and run the following commands.
-
Build docker image
$ docker build -f crypki/docker-softhsm/Dockerfile -t crypki-local . -
Generate certs and keys required for mutual TLS between the front end-client and the crypki backend server
cd crypki/docker-softhsm ./gen-crt.sh -
Start the docker container
docker run -d -p :4443:4443 -v $PWD/log:/var/log/crypki -v $PWD/tls-crt:/opt/crypki/tls-crt:ro -v $PWD/shm:/dev/shm --rm --name crypki -h "localhost" crypki-local
-
Verify whether the server is up and running
curl -X GET https://localhost:4443/ruok --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt
Disclaimer: the above installation guidelines are to help you get started with crypki; they should be used only for testing/development purposes. Please do not use this setup for production, because it is not secure.
Take a look at the sample configuration file to see how to configure crypki
APIs for crypki are defined under crypki/proto. If you are familiar with or are using grpc, you can directly invoke the rpc methods defined in the proto file.
Examples:
Get all available SSH signing keys
curl -X GET https://localhost:4443/v3/sig/ssh-user-cert/keys --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crtGet SSH user public signing key
curl -X GET https://localhost:4443/v3/sig/ssh-user-cert/keys/ssh-user-key --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crtSign SSH user certificate
curl -X POST -H "Content-Type: application/json" https://localhost:4443/v3/sig/ssh-user-cert/keys/ssh-user-key --data @ssh_csr.json --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt Get all available x509 signing keys
curl -X GET https://localhost:4443/v3/sig/x509-cert/keys --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crtGet x509 public CA certificate
curl -X GET https://localhost:4443/v3/sig/x509-cert/keys/x509-key --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crtSign x509 certificate
curl -X POST -H "Content-Type: application/json" https://localhost:4443/v3/sig/x509-cert/keys/x509-key --data @x509_csr.json --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt -
Please refer to Contributing.md for information about how to get involved. We welcome issues, questions and pull requests.
-
You can also contact us for any user and development discussions through our group crypki-dev
This project is licensed under the terms of the Apache 2.0 open source license. Please refer to LICENSE for the full terms.