Hi guys !
I am trying to find a very secure way to autosign CSRs . I think of couple of ways to do it but the way that I guess will work for us is :
- embed a Pre-Shared password in our AWS AMIs and Puppet Master and based on that we create a TOTP on agent and put it in CSR and when agent send CSR the Puppet Master which has the same Pre-Shared password can confirm TOTP and sign the certificate.
since our instances are in multiple accounts there is no way we can check things like instance_id to sign the certs.
if you have any idea please share with me.
I also found this solution but I don't know how I can implement it in AWS environment
inject totp password into the vm image:
run("setup one time password") {
totp = ROTP::TOTP.new(config[:otp_secret], :interval => 120)
onetime = totp.now
open("#{spec[:temp_dir]}/etc/puppet/csr_attributes.yaml", 'w') { |f|
f.puts """extension_requests:
pp_preshared_key: #{onetime}
"""
}
}
place the following in puppet.conf:
autosign = /usr/bin/autosign.rb
and place the following code in /usr/bin/autosign.rb:
onetime = nil
cert.attributes.each do |a|
onetime = a.value.value[0].value[0].value[1].value
end
totp = ROTP::TOTP.new('SECRET_KEY', :interval=>120)
verify = totp.verify_with_drift(onetime, 120)
↧