search

cloudflare / cfssl

CFSSL: Cloudflare's PKI and TLS toolkit
https://cfssl.org/
BSD 2-Clause "Simplified" License
8.68k stars 1.1k forks source link

[Feature Request] Allow loading signing config from environment variable #1376

Open ngarside opened 5 months ago

ngarside commented 5 months ago

I'm using CFSSL inside a docker container to sign leaf certificates. The container is configured with a CA, and provides a web API which uses CFSSL to sign CSRs.

The signed certificates inherit the not before/after dates from the CA. Currently this requires that the container write a config JSON file to disk on startup which contains the CA's not before/after dates.

{
    "signing": {
        "default": {
            "not_before": "...",
            "expiry": "..."
        }
    }
}

Which is then used in CFSSL like so:

cfssl sign -ca env:CA -ca-key env:CA_KEY -config /path/to/config.json -hostname example.com -

To improve container security I'd ideally like to run it atop a readonly filesystem, but writing the config file to disk prevents this.

Would it be possible to allow CFSSL to read the config file from an environment variable, similar to what is allowed for the -ca parameter?

cfssl sign -ca env:CA -ca-key env:CA_KEY -config env:CONFIG_JSON -hostname example.com -

Or indeed any other method of setting the configuration values without writing to disk would work.

Thanks, Nathan