cki.cki_tools.refresh_dogtag_certificates
Dogtag certificate manager
This page has an internal companion page which might contain additional information.
Tool to download and refresh Dogtag-based certificates via the following steps:
- download current production certificates from S3 bucket
- retrieve certificates from the Dogtag server
- refresh certificates if needed
- propose revoking certificates (but must be done manually)
- upload updated production certificates to S3 bucket
Usage
Usage: python3 -m cki.cki_tools.refresh_dogtag_certificates
[--dogtag-url DOGTAG_URL]
[--refresh-after INTERVAL]
[--refresh-before INTERVAL]
[--expire-after INTERVAL]
[--expire-before INTERVAL]
[--s3-url S3_URL]
[--download-only FILE]
With --download-only, only download current production certificates from the
S3 bucket from --s3-url and write them to the given file.
Otherwise, after downloading from S3, contact the Dogtag server from
--dogtag-url for all environment variables ending in _PRIVATE_KEY (see
below). If any of --refresh-after or --refresh-before is specified (via e.g. 100 days),
automatically refresh certificates. If any of --expire-after or
--expire-before is specified, print a list of certificates that can be
(manually) revoked. At the end, upload the newest certificates back to the S3
bucket.
Configuration
| Environment variable | Type | Secret | Description |
|---|---|---|---|
CKI_DEPLOYMENT_ENVIRONMENT |
string | no | Only refreshes certificates when set to production |
DOGTAG_URL |
string | no | REST API URL of the Dogtag server |
DOGTAG_S3_URL |
string | no | S3 URL to store certificates like https://endpoint/bucket/file.yml |
*_PRIVATE_KEY |
string | yes | Private key for the certificates |
*_USER |
string | no | User accounts for the certificates |
*_PASSWORD |
string | yes | Passwords for the certificates |