Open k-s-dean opened 6 years ago
kevgliss
commented
6 years ago Howdy,
1) Yes, Lemur stores private keys in the postgres database encrypted. 2) Lemur is not a CA itself, instead it relies on issuer plugins to reach out to third-party CAs 2a) Lemur does have a cryptography-issuer plugin, that can issue certificates but this is not intended for production use. 3) Lemur can pull or sync certificates from third-party sources
Hope this helps.
k-s-dean
commented
6 years ago Cheers for getting back to me,
So on question 2 you have stated that this is not meant for production use is this the plugin or lemur its self? Is this meant purely for Dev teams to create and issue certificates?
See i was looking to leverage lemur as a web UI using hashicorp vault as the source/issuer/PKI backend having lemur pull in (set the rootCA in vault) or post the required root certificates to vault ( preferably through lemurs certificate authority tab ) using its API's, then perhaps having a utility such as vaultbot do the heavy lifting of automating certificate renewals as currently there aren't very many certificate management systems around. Which means that your stuck with sticking certificate expiry dates inside office 365 calendars which is useless form a management perspective, making you manage the certificate regeneration and placement process manually. I'm not aware of any paid products either, that provide the same sort of management philosophy that lemur does.
Kind Regards
kevgliss
commented
6 years ago We use Lemur every day in production and have for the last several years. The reason I say that the cryptography plugin isn't for production use is that Lemur typically assumes that root ca keys would be stored in separately from certificates.
That being said depending on your risk tolerance there is nothing functionally wrong with using Lemur as a root ca.
Your approach with vault and vaultbot seems reasonable and should work. I'm not sure on the details but Lemur should be able to help facilitate not only the issuance of certs from vault but also deploying to vault as well.
k-s-dean
commented
6 years ago Ok, cool that clears up a few questions I had.
In terms of the CA key Im looking to store these printed out in a safe once I have generated intermediates that will act as CA's, so I need a method of getting these Intermediates into lemur and have lemur post them to vault. But currently I don't see how i go about doing this in the UI as there is not an import button on the authorities tab, if I import the CA into the certificates tab will lemur pick up the attribute CA:True from the certificate and setup the intermediate as an authority?
Or would I have to modify lemur to have an import button on the authority tab, then modify the lemur_vault plugin to post this to vault.
Or would I have to modify the lemur_vault plugin to become a source plugin allowing lemur to fetch the certificates from vault.
Kind Regards,
kevgliss
commented
6 years ago Hmm, you're correct that there is no way in the UI to import an intermediate. You could import them directly in the DB or perhaps create a cli function to help you.
the function would need to call: https://github.com/Netflix/lemur/blob/master/lemur/authorities/service.py#L91
and look similar to: https://github.com/Netflix/lemur/blob/master/lemur/certificates/cli.py#L261
to add the command to the lemur command modify:
https://github.com/Netflix/lemur/blob/master/lemur/manage.py#L537
Hi,
Could someone help me understand some of the functionality that lemur provides.
How does lemur store private keys, are the keys stored in the postgres database encrypted.
Currently I do not see a way to be able to import a root CA and its key to lemur is this possible at all ?
For issuer plugins is lemur able to poll the certificate store and Load existing CA's and Certificates
I have a number of use cases for lemur but currently I'm scratching my head trying to figure out how to use my existing PKI certificates with lemur, Ideally i would like to use vault as the certificate store and generator and use lemur as the front end for managing certificates and notifying me when certificates are expired.
Kind Regards