Installation and Configuration¶
Installation¶
Installation of PostgreSQL client package:
Installation of PostgreSQL server (if none exists) and related packages on DB server host:
pkg install databases/postgresql12-server pkg install databases/ip4r
Installation of Python packages from PyPI:
pip install serverPKI
Creation of DB user and DB
host db1, port 2222, user dba and user pki_op are examples. dba must be pgsql superuser. In scripts create_schema_pki.sql and create_triggers_pki.sql are GRANT statements which allow usage of objects by user serverPKI. To change this, you must edit those scripts. Create ~/.pgpass or client cert in ~/.postgresql:
psql -h db1 -p 2222 -U dba postgres postgres=> CREATE ROLE pki_op LOGIN CREATEDB; psql -h db1 -p 2222 -U pki_op postgres postgres=> CREATE DATABASE pki_op; psql -h db1 -p 2222 -U pki_op -d pki_op -f install/fresh_install/create_schema_dd.sql psql -h db1 -p 2222 -U pki_op -d pki_op -f install/fresh_install/create_extension_citext.sql psql -h db1 -p 2222 -U pki_op -d pki_op -f install/fresh_install/create_schema_pki.sql # optional (usefull examples for demo): psql -h db1 -p 2222 -U pki_op -d pki_op -f install/fresh_install/load_testdata.sql psql -h db1 -p 2222 -U pki_op -d pki_op -f install/fresh_install/create_triggers_pki.sql # psql -h db1 -p 2222 -U pki_op pki_op=> set search_path to pki,dd; SET pki_op=> \d List of relations Schema | Name | Type | Owner --------+-----------------------+----------+----------- pki | certificates | table | pki_op pki | certificates_id_seq | sequence | pki_op pki | certificates_services | table | pki_op pki | certinstances | table | pki_op pki | certinstances_id_seq | sequence | pki_op pki | certkeydata | table | pki_op pki | certkeydata_id_seq | sequence | pki_op pki | certs | view | pki_op pki | certs_ids | view | pki_op pki | disthosts | table | pki_op pki | disthosts_id_seq | sequence | pki_op pki | inst | view | pki_op pki | jails | table | pki_op pki | jails_id_seq | sequence | pki_op pki | places | table | pki_op pki | places_id_seq | sequence | pki_op pki | revision | table | pki_op pki | revision_id_seq | sequence | pki_op pki | services | table | pki_op pki | services_id_seq | sequence | pki_op pki | subjects | table | pki_op pki | subjects_id_seq | sequence | pki_op pki | targets | table | pki_op pki | targets_id_seq | sequence | pki_op (24 rows) serverpki=> \q
Configuration¶
Copy install/example_config.py to /usr/local/etc/serverPKI/serverPKI_config.py or to VIRTUAL_ENV/etc/serverPKI_config.py and edit the copy. The config file is in ini file format with nested sections.
The following variables can be set:
Pathes¶
Section containg filesystem path information
- home
- Root of the work area and credential storage, usually somewhere at var. This variable must be set to a save place in order to use serverPKI
- db
- Some credentials stored here, like:
- ca_cert, ca_key
- Cert and key of the local (internal) CA, in case, there exists one when you begin with serverPKI. Will be imported into DB with issuence of 1st local cert. The flat files can be deleted then. Not needed, if local CA cert created with “serverPKI –issue-local-CAcert”.
- db_encryption_key
All keys in DB are encrypted with this key. After setting this up, encrypt keys in DB:
operate_serverPKI --encrypt-keys -v
Before changing the passphrase, decrypt all keys:
operate_serverPKI --decrypt-keys -v
- le_account
- Credentials of Lets Encrypt account in json format. See manuale register in tutorial.
- work
- Work direcory
- work_tlsa
- TLSA resource records are being accumulated here for named zone update.
- tlsa_dns_master
- Host of DNS master. Empty means: Local host. Must be empty for now. Will be used with ddns with remote master in the future.
Next 6 variables are for historical DNS control via zone files and should not be used for new installations:
- zone_file_root
- zone files are kept in DSKM format:
- zone_file_root/example.com/example.com.zone
- dns_key
- rndc key for triggering named reload.
- zone_tlsa_inc_mode, zone_tlsa_inc_uid, zone_tlsa_inc_gid
- file permission and ownership for files, incuded by zone files.
- zone_file_include_name
- The filename of the file, included from zone file with the challenges.
- ddns_key_file
- The filename of a named dynamic dns key file, used to secure dns update transactions.
X509atts¶
Section of local X509 certificate standard attribute defaults
- names and extensions
- Cert fields used for CA cert and server/client certs.
- lifetime and bits
- are used for server/client certs
DBAccount¶
Configuration of account data and credentials for the PostgreSQL DB. Passwords may be stored in pki_op’s HOME in HOME/.pgpass or client certs in HOME/.postgresql.crt and HOME/.postgresql.key
- dbHost
- host name of DB server
- dbPort
- port number of DB instance
- dbUser
- DB role name, used for accessing the DB
- dbDbaUser
- Role name for tasks requiring super user rights. Empty, if person who runs program is DBA
- dbSslRequired
- If “yes” then connecting will be made with TLS
- dbDatabase
- name of database, used for serverPKI (contains schemas dd and pki)
- dbSearchPath
- search_path set at login
- dbCert
- path of file containg cert for TLS
- dbCertKey
- path of file containg key for TLS
Misc¶
Section with miscellaneous config parameters
- SSH_CLIENT_USER_NAME
- user name on target hosts for cert/key distribution
- LE_SERVER
- URL of Lets Encrypt server, either (for testing):
- ‘https://acme-staging-v02.api.letsencrypt.org’
- or (for production):
- ‘https://acme-v02.api.letsencrypt.org’
- LE_EMAIL
- e-mail address for letsencrypt.org registration, used for notifications by LE
- LE_ZONE_UPDATE_METHOD
- Zone update method for challenges, either ‘ddns’ (the default) for dynamic updates or ‘zone_file’ for updates via zone file)
- LOCAL_CA_BITS LOCAL_CA_LIFETIME
- Number of bits and lifetime of local CA cert.
- SUBJECT_LOCAL_CA
- Subject name of local CA in table Subjects (may be changed only initially)
- SUBJECT_LE_CA
- Subject name of Lets Encrypt CA in table Subjects (may be changed only initially)
- PRE_PUBLISH_TIMEDELTA
- New certs are published that many days before they become active (with 2nd TLSA RRs) for rollover
- LOCAL_ISSUE_MAIL_TIMEDELTA = timedelta(days=30)
- E-Mail to administrator will be sent that many days before expiration of local certs. (Must be issued manually, using pass phrase)
- MAIL_RELAY, MAIL_SUBJECT, MAIL_SENDER and MAIL_RECIPIENT
- Characteristics of mail service for notification mails.
- SYSLOG_FACILITY
Facility for syslog log messages
serverPKI uses levels DEBUG, INFO, NOTICE and ERR