search

square / keywhiz

A system for distributing and managing secrets
https://square.github.io/keywhiz/
Apache License 2.0
2.62k stars 216 forks source link

How to make an initial automation request? #131

Closed xaviershay closed 9 years ago

xaviershay commented 9 years ago

I would like to use the automation endpoints.

The documentation suggests that "The automation API requires a client certificate and automationAllowed=true in the clients DB table." ... but how do I set this up?

From poking around I think if I send a POST to /automation/clients with my client cert it should just work. But how do I make this initial client cert? There are various .p12 and .crt files in the core checkout, but seems to be missing a .key file to make into a CA pem that I can use to sign a new client cert. I tried converting the .p12 to a .pem on the off chance that made sense, but didn't work.

Trying to regenerate key material (which would give me all the private/public keys), I run into this error in the https://github.com/square/keywhiz/wiki/Development-and-test-key-material#create-a-server-certificate step

> openssl pkcs12 -aes128 -in out/localhost.crt -inkey out/localhost.key-export -out out/localhost.p12
81214:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/crypto/asn1/tasn_dec.c:1341:
81214:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/crypto/asn1/tasn_dec.c:385:Type=PKCS12

So now I'm knee deep in cert things and pretty sure I shouldn't be here :) What did I miss?

alokmenghrajani commented 9 years ago

I'm unsure if the default CA we included contains a private key.

The following keystore should work: keytool -list -keystore ./server/src/test/resources/clients/client.p12 -storetype PKCS12 -storepass ponies outputs PrivateKeyEntry.

If you want to see the key and cert, you can do: openssl pkcs12 -in <keystore.p12> -out cert.pem; openssl x509 -text -in cert.pem.

The default db seed command sets the automation flag to true for this cert (https://github.com/square/keywhiz/blob/master/server/src/main/java/keywhiz/commands/DbSeedCommand.java#L116). It is possible that I got "client" vs "CN=client" wrong in the DbSeed code.

xaviershay commented 9 years ago

This worked for me, turns out curl accepts p12!

curl -k https://localhost:4444/automation/secrets --cert ./server/src/test/resources/clients/client.p12:ponies
alokmenghrajani commented 9 years ago

I'm going to update https://github.com/square/keywhiz/wiki/Development-and-test-key-material#create-a-server-certificate to be: openssl pkcs12 -export -in out/localhost.crt -inkey out/localhost.key -out out/localhost.p12.