Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow 3rd party software to use Nivlheim's certificates to authenticate machines #32

Closed
oyvindhagberg opened this issue Jan 29, 2018 · 2 comments
Closed

Allow 3rd party software to use Nivlheim's certificates to authenticate machines #32

oyvindhagberg opened this issue Jan 29, 2018 · 2 comments
Labels
certificate handling
Milestone
Production ready

Comments

@oyvindhagberg
Copy link
Contributor

oyvindhagberg commented Jan 29, 2018
edited
Loading

There are many ways to do this:

  • API for server-to-server call where an external system can pass some signed data package to Nivlheim, which will then verify the signature and return some information about the machine that signed it.
  • http redirect service
    1. A machine makes an http request to a 3rd party server, gets a redirect to Nivlheim
    2. Upon contacting Nivlheim, it receives a JSON Web Token and is redirected back
    3. It contacts the 3rd party server again, this time passing along a JWT which the server uses to verify its identity
  • Nivlheim can share its CA certificate with other servers. This has negative security implications.
@oyvindhagberg
Copy link
Contributor Author

Nivlheim can safely share its public CA certificate.... didn't think of that. 🤦‍♂️

Let's solve this by making the public CA certificate available on the website by default, for example as a static file that doesn't require login.

@oyvindhagberg oyvindhagberg added this to the Public beta milestone Feb 20, 2018
oyvindhagberg added a commit that referenced this issue Apr 19, 2018
@oyvindhagberg
Client compatibility, PKCS8, settings page, cron
3283dd3 
Modified the client to be compatible with the legacy version of the
server software.
The client generates an additional file with the certificate key
in PKCS8 format. This helps #32.
Modified the client cron job to run every 5 minutes, and the client
will exit if less than an hour since last successful run. Fixes #20.
Moved approve/deny web gui to the settings page.
Improved the webdesign/look on the settings page.
@oyvindhagberg
Copy link
Contributor Author

The solution for this issue relies on how #27 is solved. Perhaps Nivlheim should share a bundle with all its active CA certificates (which should normally consist of the current + the previous).

@oyvindhagberg oyvindhagberg mentioned this issue Mar 13, 2019
Merged
oyvindhagberg added a commit that referenced this issue Mar 13, 2019
@oyvindhagberg
Merge PR #85 from usit-gd/feature-public-client-ca
b613d50 
This PR takes care of 2 issues:
- It automates the upgrading process of the client CA certificate,
  making it easy to upgrade, and "documenting" (in the form of code)
  how to do it. #27
- It publishes a bundle with the currently active CA certificates on
  the web server, facilitating 3rd party use. #32 

See also: https://github.com/usit-gd/nivlheim/wiki/Client-certificates
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
certificate handling
Projects
None yet
Milestone
Production ready
Development

No branches or pull requests
1 participant
@oyvindhagberg