Skip to content

dopry/nodekey

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

I'm a paranoid sysadmin. I generate RSA keypairs for each service and device combination I have. I prefer that my users use a Key that I have signed with my own CA or another CA I trust. I also expect CA's to quickly revoke all certificates signed with a compromised signing key.

Managing a lot of keys in a very paranoid PKI infrastructure can be difficult.

Above and beyond my curmudgeonly mindset it should be easy for most developers to click a button and have a certificate and not have to worry about running openssl on the cli to generate key pairs for services. They should have to click a button to generate their private key and get a prompt asking them where to save it. Their public key once approved should automatically be associated with their account.

user stories: A. A user of a cloud service wants to create an ssh key to use with said service in a secure method. B. Cloud service provider want a simple way to authorize and verify client certificates while providing them secure ways to interact with their services.

How To:
A. To create a certificate securely a user needs to generate a 2048bit private and csr on their computer. Never exposing their
private key. The CSR is then submitted to the CA. Wait for the CA to validate them and provide them a signed
public certificate.
see: https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR876

B. Service providers establish a CA signing hierarchy with a Root Certificate and a signing Certificate. They present an service
to which clients can upload CSRs. The service can utilize a number of verification schemes. I'm currently thinking manual, email, 
or phone validation. Once validated the submitting client can be notified. The CA's service should provide all the tools the end
needs to generate their certificate.

Dream Workflow:

I signup for the awesome web service. On my account page it prompts me to generate a key to access their site.
I hit the generate key button in my browser and I'm prompted to save my private key. In the background my CSR 
has been submitted to the server already. The server is sending me an email to verify that I uploaded the key 
to the account I setup my email with, or giving me a ring on my phone and asking me to verify. Once I verify 
my public key is auto loaded in my profile and I have the option to download it. 

Libraries needed:

npm install ursa


Entities:

CSR {
  DistinguishedName: '',
  Organisation: '',
  OrganisationalUnit: '',
  City: '',
  State: '',
  Country: '',
  Email: '',
  PublicKey, '',
  status: [ pending, signed ] 
}

Certificate (public) {
  csr: (reference)
  key: {long ass string}
  status: [ active, revoked ]
  lastModified: { datetime }
}

REST API

/v1/csrs
    Description:
        Base UI for submitting and retrieving Certificate Signing Requests.
    
    Entities:
    

    Methods:
        POST: submit a csr for signing, return it's @id.
        GET: retrieve a list of csrs
        PUT: N/A no mass update
        DELETE: N/A no mass delete

/v1/csrs/@id
    Description:
        Base URI for managing a specific CSR.
        
    Entities:
        
    Methods:
        POST: submit a csr for signing to a specific @id.
        GET: Return a CSR and it's details.
        PUT: 
        DELETE: N/A no deleting

/v1/certificates
    Description:
        Base URI for managing certificates.
    
    Entities:
    
    Methods:
        POST: put a CSR to create a signed certificate. 
        GET: get a list of known public certificates.
        PUT: N/A no mass update.
        DELETE: N/A no mass delete.

/v1/certificates/@id        
    Methods:
        POST: put a CSR to create a signed certificate.
        GET: get the details of the signed certificate.
        PUT: use put to set the certificate to revoked.
        DELETE: revoke a certificate

/v1/signing-certificate
    
    Description:
        URI for managing the signing ceritificate.  This is typically a cert 
        signed by a root certificate, used for signing end user certificates.
    
    Methods:
        POST: submit a new signing certificate
        GET: get the signing certificate details
        PUT: not applicable.
        DELETE: remove the signing certificate.        

/v1/ca
    Description:
        Public URI for the CA certificate. This is typically the CA cert for the Root Certificate.
        
    Methods:
        POST: upload a new public CA certificate.
        GET: get a copy of the CA certificate.
        PUT: update the CA certificate.
        DELETE: delete the CA certificate.

Errata:

http://middleware.internet2.edu/pki03/presentations/11.pdf

About

a node.js pki toolkit and my first node.js project.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published