Using certs from local CA

I just realised that the series of pages I put together  while back regarding setting up and using a personal (or local) certificate authority was missing the final page, giving examples of an application making use of the CA.

https://github.com/slugbucket/package-inventory-server/tree/cert_based_client_registration contains some rough examples of such an application.

I was really interested in making sure I developed a set of tests before adding more functionality and then I got distracted with other work projects.

The code in the branch isn’t entirely practical and my Python is not far from laughable but it does kinda work and can help illustrate the principles.

The Python service in PackageInventoryServer.py can be run using,

uwsgi --ini application.ini

nd can easily be provided over https with a build of nginx with uwsgi added and including the following directives in a ‘location /’ block,

    include uwsgi_params;
    uwsgi_pass unix:/tmp/PackageInventoryServer.sock;

Then running a test command like the following should show some hits on the uwsgi application terminal and a file in the cache directory for the hostnme,

curl -v https://inventory-master.localdomain/package-inventory/packages/new -H 'Content-Type: application/json' -d '{"hostname": "fnunbob.localdomain", "Packages": [{"Version": "1:1.2.8-7", "Architecture": "x86_64", "Name": "zlib", "Description": "Compression library implementing the deflate compression method found in gzip and PKZIP", "URL": "http://www.zlib.net/"}]}'

This should return a warning about invalid certificates for the request. But when we combine the command with options for the client certificate and key chain we get a more favourable response,

--cacert /path/to/client-cert-auth/intermediate-ca/certs/ca-chain.cert.pem --cert /path/to/package-inventory-server/python/ssl/fnunbob.localdomain.cert.pem --key /path/to/package-inventory-server/python/ssl/fnunbob.localdomain.key.pem

Using the client test program, python post-host-packages.py, will post a full package inventory from the localhost with the results saved on the cache directory.