Use home directory for client certs

serverless-ca · Feb 23, 2024 · f6a5de4 · f6a5de4
1 parent 892e1f2
commit f6a5de4
Show file tree

Hide file tree

Showing 5 changed files with 62 additions and 31 deletions.
diff --git a/README.md b/README.md
@@ -1,10 +1,19 @@
 # cloud-ca
 Cloud CA demonstration built using AWS CA Terraform Module
 
+## IMPORTANT
+If cloning this repository to use as a basis for your own CA, it's essential that you:
+* Delete the CSR files in the [csr directory](./certs/dev/csrs/)
+* Delete references to these files in [locals.tf](./locals.tf) and [tls.json](./certs/dev/tls.json)
+* Replace the contents of [revoked.json](./certs/dev/revoked.json) with an empty list `[]`
+* Change the domain name listed in [variables.tf](variables.tf) to one for which there's a hosted zone in your AWS account 
+
 ## CA Overview
 * ECDSA Issuing and Root CA
 * Public certs and CRL
 * Environment: `dev`
+* Certs issued from CSR files
+* Revoked certificate
 
 ## CA Certificates and CRLs
 
@@ -37,7 +46,7 @@ source .venv/bin/activate (Linux / MacOS)
 pip install -r tests/requirements-dev.txt
 python tests/client-cert.py
 ```
-* you will now have a client key and certificate on your laptop
+* you will now have a client key and certificate on your laptop at `~/certs`
 * bundled Root CA and Issuing CA certs are also provided
 
 

diff --git a/tests/client-cert.py b/tests/client-cert.py
@@ -2,17 +2,19 @@
 import json
 import base64
 import boto3
+import os
 from cryptography.hazmat.primitives.serialization import load_der_private_key
 from utils_tests.certs.crypto import create_csr_info, crypto_encode_private_key, crypto_tls_cert_signing_request
 from utils_tests.certs.kms import kms_generate_key_pair, kms_get_kms_key_id
 from utils_tests.aws.lambdas import get_lambda_name
 
+homedir = os.path.expanduser("~")
+
 
 def main():  # pylint:disable=too-many-locals
     """
     Create test client certificate for default Serverless CA environment
-    /tmp location of certificates and keys is for test purposes only
-    In production, change location to e.g. /certs with locked down permissions
+    Before using, create a subdirectory `certs` within your home directory
     """
 
     # set variables
@@ -23,9 +25,10 @@ def main():  # pylint:disable=too-many-locals
     state = "England"
     organization = "Serverless Inc"
     organizational_unit = "Security Operations"
-    output_path_cert_key = "/tmp/client-key.pem"
-    output_path_cert = "/tmp/client-cert.pem"
-    output_path_cert_combined = "/tmp/client-cert-key.pem"
+    output_path_cert_key = f"{homedir}/certs/client-key.pem"
+    output_path_cert_pem = f"{homedir}/certs/client-cert.pem"
+    output_path_cert_crt = f"{homedir}/certs/client-cert.crt"
+    output_path_cert_combined = f"{homedir}/certs/client-cert-key.pem"
     key_alias = "serverless-tls-keygen-dev"
 
     # create key pair using symmetric KMS key to provide entropy
@@ -73,19 +76,24 @@ def main():  # pylint:disable=too-many-locals
     if output_path_cert_key:
         with open(output_path_cert_key, "w", encoding="utf-8") as f:
             f.write(key_data.decode("utf-8"))
-            print(f"Private key written to {output_path_cert_key}, this should now be moved to a safe location")
+            print(f"Private key written to {output_path_cert_key}")
+
+    if output_path_cert_pem:
+        with open(output_path_cert_pem, "w", encoding="utf-8") as f:
+            f.write(cert_data.decode("utf-8"))
+            print(f"Certificate written to {output_path_cert_pem}")
 
-    if output_path_cert:
-        with open(output_path_cert, "w", encoding="utf-8") as f:
+    if output_path_cert_crt:
+        with open(output_path_cert_crt, "w", encoding="utf-8") as f:
             f.write(cert_data.decode("utf-8"))
-            print(f"Certificate written to {output_path_cert}")
+            print(f"Certificate written to {output_path_cert_crt}")
 
     if output_path_cert_combined:
         with open(output_path_cert_combined, "w", encoding="utf-8") as f:
             f.write(key_data.decode("utf-8"))
             f.write(cert_data.decode("utf-8"))
 
-    print(f"Certificate and key written to {output_path_cert_combined}, this should now be moved to a safe location")
+    print(f"Certificate and key written to {output_path_cert_combined}")
 
 
 if __name__ == "__main__":

diff --git a/tests/client-csr.py b/tests/client-csr.py
@@ -1,14 +1,17 @@
 #!/usr/bin/env python3
+import os
 from cryptography.hazmat.primitives.serialization import load_der_private_key
 from utils_tests.certs.crypto import create_csr_info, crypto_encode_private_key, crypto_tls_cert_signing_request
 from utils_tests.certs.kms import kms_generate_key_pair, kms_get_kms_key_id
 
 
+homedir = os.path.expanduser("~")
+
+
 def main():  # pylint:disable=too-many-locals
     """
     Create test Certificate Signing Request (CSR) for default Serverless CA environment
-    /tmp location of csr and keys is for test purposes only
-    In production, change location to e.g. /certs with locked down permissions
+    Before using, create a subdirectory `certs` within your home directory
     """
 
     # set variables
@@ -18,8 +21,8 @@ def main():  # pylint:disable=too-many-locals
     state = "England"
     organization = "Serverless Inc"
     organizational_unit = "Security Operations"
-    output_path_cert_key = "/tmp/cert-request-key.pem"
-    output_path_csr = "/tmp/cert-request.csr"
+    output_path_cert_key = f"{homedir}/certs/cert-request-key.pem"
+    output_path_csr = f"{homedir}/certs/cert-request.csr"
     key_alias = "serverless-tls-keygen-dev"
 
     # create key pair using symmetric KMS key to provide entropy
@@ -44,7 +47,7 @@ def main():  # pylint:disable=too-many-locals
     if output_path_cert_key:
         with open(output_path_cert_key, "w", encoding="utf-8") as f:
             f.write(key_data.decode("utf-8"))
-            print(f"Private key written to {output_path_cert_key}, this should now be moved to a safe location")
+            print(f"Private key written to {output_path_cert_key}")
 
 
 if __name__ == "__main__":

diff --git a/tests/server-cert.py b/tests/server-cert.py
@@ -2,17 +2,19 @@
 import json
 import base64
 import boto3
+import os
 from cryptography.hazmat.primitives.serialization import load_der_private_key
 from utils_tests.certs.crypto import create_csr_info, crypto_encode_private_key, crypto_tls_cert_signing_request
 from utils_tests.certs.kms import kms_generate_key_pair, kms_get_kms_key_id
 from utils_tests.aws.lambdas import get_lambda_name
 
+homedir = os.path.expanduser("~")
+
 
 def main():  # pylint:disable=too-many-locals
     """
     Create test server certificate for default Serverless CA environment
-    /tmp location of certificates and keys for test purposes only
-    In production, change location to e.g. /certs with locked down permissions
+    Before using, create a subdirectory `certs` within your home directory
     """
 
     # set variables
@@ -24,9 +26,10 @@ def main():  # pylint:disable=too-many-locals
     state = "England"
     organization = "Serverless Inc"
     organizational_unit = "Security Operations"
-    output_path_cert_key = "/tmp/server-key.pem"
-    output_path_cert = "/tmp/server-cert.pem"
-    output_path_cert_combined = "/tmp/server-cert-key.pem"
+    output_path_cert_key = f"{homedir}/certs/server-key.pem"
+    output_path_cert_pem = f"{homedir}/certs/server-cert.pem"
+    output_path_cert_crt = f"{homedir}/certs/server-cert.crt"
+    output_path_cert_combined = f"{homedir}/certs/server-cert-key.pem"
     key_alias = "serverless-tls-keygen-dev"
 
     # create key pair using symmetric KMS key to provide entropy
@@ -75,19 +78,24 @@ def main():  # pylint:disable=too-many-locals
     if output_path_cert_key:
         with open(output_path_cert_key, "w", encoding="utf-8") as f:
             f.write(key_data.decode("utf-8"))
-            print(f"Private key written to {output_path_cert_key}, this should now be moved to a safe location")
+            print(f"Private key written to {output_path_cert_key}")
+
+    if output_path_cert_pem:
+        with open(output_path_cert_pem, "w", encoding="utf-8") as f:
+            f.write(cert_data.decode("utf-8"))
+            print(f"Certificate written to {output_path_cert_pem}")
 
-    if output_path_cert:
-        with open(output_path_cert, "w", encoding="utf-8") as f:
+    if output_path_cert_crt:
+        with open(output_path_cert_crt, "w", encoding="utf-8") as f:
             f.write(cert_data.decode("utf-8"))
-            print(f"Certificate written to {output_path_cert}")
+            print(f"Certificate written to {output_path_cert_crt}")
 
     if output_path_cert_combined:
         with open(output_path_cert_combined, "w", encoding="utf-8") as f:
             f.write(key_data.decode("utf-8"))
             f.write(cert_data.decode("utf-8"))
 
-    print(f"Certificate and key written to {output_path_cert_combined}, this should now be moved to a safe location")
+    print(f"Certificate and key written to {output_path_cert_combined}")
 
 
 if __name__ == "__main__":

diff --git a/tests/server-csr.py b/tests/server-csr.py
@@ -1,14 +1,17 @@
 #!/usr/bin/env python3
+import os
 from cryptography.hazmat.primitives.serialization import load_der_private_key
 from utils_tests.certs.crypto import create_csr_info, crypto_encode_private_key, crypto_tls_cert_signing_request
 from utils_tests.certs.kms import kms_generate_key_pair, kms_get_kms_key_id
 
 
+homedir = os.path.expanduser("~")
+
+
 def main():  # pylint:disable=too-many-locals
     """
     Create test Certificate Signing Request (CSR) for default Serverless CA environment
-    /tmp location of csr and keys is for test purposes only
-    In production, change location to e.g. /certs with locked down permissions
+    Before using, create a subdirectory `certs` within your home directory
     """
 
     # set variables
@@ -18,8 +21,8 @@ def main():  # pylint:disable=too-many-locals
     state = "England"
     organization = "Serverless Inc"
     organizational_unit = "Security Operations"
-    output_path_cert_key = "/tmp/cert-request-key.pem"
-    output_path_csr = "/tmp/cert-request.csr"
+    output_path_cert_key = f"{homedir}/certs/cert-request-key.pem"
+    output_path_csr = f"{homedir}/certs/cert-request.csr"
     key_alias = "serverless-tls-keygen-dev"
 
     # create key pair using symmetric KMS key to provide entropy
@@ -44,7 +47,7 @@ def main():  # pylint:disable=too-many-locals
     if output_path_cert_key:
         with open(output_path_cert_key, "w", encoding="utf-8") as f:
             f.write(key_data.decode("utf-8"))
-            print(f"Private key written to {output_path_cert_key}, this should now be moved to a safe location")
+            print(f"Private key written to {output_path_cert_key}")
 
 
 if __name__ == "__main__":