CA authority as part of Simian

[selfcommit]

This issue is being presented as an opportunity for the Github community to make any further suggestions about implementation before an attempt is made to implement a solution.

Work will start on or about July 13

Details from the Simian feature request doc are below:

Problem:
A major hurtle to small shops using Simian is establishment of a common CA to sign client certificates. While many shops simply use puppet, it would be better to include a CA option on the simian server.

Solution:
Create a solution to perform X509 signing requests.

Constraints:

• Must run entirely in python (No local openssl lib available on appengine)

[selfcommit]

After looking a bit, I've found cryptography.io

This looks like a promising library. I'll take a swing at implementing with this.

[selfcommit]

@maximermilov Would a custom runtime be an option?

https://github.com/googlearchive/appengine-vm-fortunespeak-python

I might be able to break it into a separate module for this project, or as a stand alone project.

[maximermilov]

I might be able to break it into a separate module for this project
It's better to have this feature as optional module or separate standalone appengine project.

Would a custom runtime be an option?
yes for separate module.

[nathanperkins]

Is using something like Let's Encrypt possible? I'm attempting to make the modifications myself, but I'm not the best at this.

[selfcommit]

Hi Nathan,
That's an interesting thought. It might be easy enough to optionally collect the information needed for admins that want to use Let's Encrypt. I'll add it to the list of ideas when I start looking at this next week.

[nathanperkins]

Sorry, I misunderstood this issue. Let's Encrypt is mostly designed for adding SSL to public HTTPS hosts and probably won't even work if the clients aren't publicly accessible on a domain name.