confiar

Confiar

Confiar is a tool to generate and manage self-signed certificate as if they are trusted by a usual certificate authority.

This was built to assist provisioning (virtual) machines in restricted environments.

HEADS UP: You should really consider using real certificates or robust certificate management (such as Vault). In the event that none of the above is applicable, let's do this together painlessly!

Direction

Goals

• Reduce friction to manage (self-signed) certificates in restricted environments (partial or no internet access).

Non-goals

• Replace existing cryptographic tools (e.g. OpenSSL, BoringSSL)
• Manage REAL certificates (security concerns)
• To be used in a public environment

Usage

Create a self-signed certificate

The output certificate signed itself as certificate authority. Complete specification of the certificate is availabe through confiar generate --help.

❯ confiar generate --fqdn myserver.corp

The command above will generate cert.pem and key.pem in the current working directory. The cert.pem will have myserver.corp in Subject Alternative Name as DNS entry. IP address can also be specified with --ip flag. Both --fqdn and --ip accepts multiple entries as comma-separated list.

Install a self-signed certificate

HEADS UP: some targets may require sudo privileges.

While most applications will rely on underlying operating system's trusted certificate authorities, some applications also allow specific certificate authorities to be trusted manually. One example of a supported application is Docker.

❯ confiar install --target docker --from cert.pem

The command above will install certificate specified by --from as a trusted certificate authority to Docker, which allows docker (pull|push) operations to work smoothly. Docker requires every certificate to be placed according to their used hostname and Confiar automatically handles that by parsing the Subject Alternative Name field in the provided certificate.

Design principles

Optional dependencies

Confiar currently only supports its own as a cryptographer to generate certificates, but the interface in place allows substitution and in the future, users can use --cryptographer flag to specify other providers, such as OpenSSL, BoringSSL, etc.

Such pattern will persist throughout the development of Confiar, where built-ins will be the first supported provider.

Integrates to modern infrastructure

While Confiar strives towards zero hard dependencies at runtime, the inverse is applied towards the output. Confiar aims to support integration with any application / platform / operating system, particularly in installing certificates.

Contributing

For any feature request / proposal, please start with opening issues. Opening PRs without issues / prior discussion is strongly discouraged.

Be excellent to each other!

Towards v1.0.0

The following list will eventually be converted to issues and projects, though if you have thoughts before they were converted, feel free to open one and discuss!

• Support --cryptographer variants
  • Required: OpenSSL
  • Optionally: LibreSSL, BoringSSL, cfssl
• Support --target variants
  • Required: Ubuntu
  • Optionally: Any Linux distribution, maybe macOS
• Support --from remote (and therefore figure out a way to serve the generated certificate)