This repository is part of the commercial open source project CZERTAINLY. You can find more information about the project at CZERTAINLY repository, including the contribution guide.
Core provides the basic functionality for the CZERTAINLY platform. It implements the logic for the certificate lifecycle management and handles all related tasks. You can think about it as a brain of the CZERTAINLY platform.
There are 2 types of communication that the Core is responsible for:
- client requesting management operations on top of certificates
Connectorthat provides with the functionality for specific technologies
Core is performing consistent operation on top of the certificates. The management of certificates is abstracted through CZERTAINLY objects, for example:
| Object | Short description |
|---|---|
Connector |
Provides with the functionality for specific technologies (defined by Function Group and supported Kinds) |
Credential |
Credential of various types to be used by Connectors and other objects |
Authority |
Representing certification authority access |
RA Profile |
Configuration of the service for certificate lifecycle management (abstraction of Attributes for specific certificate type, including available APIs) |
Discovery |
Schedule discovery process for searching of certificates in various sources |
Certificate |
Certificate consisting of Attributes and related metadata |
Entity |
Represents the entity that is can use the certificates |
Location |
Location on the Entity where is certificate stored |
Group |
Grouping of different certificates based on different requirements |
Compliance Profile |
Matching rules for the certificate to assess compliance |
RA profile is one of the main concepts of the Core. RA profile represents the certificate management service containing all specific Attributes and configuration you need for specific Certificate and use-case, which may be for example web server certificate, authentication certificates, etc.
Each Certificate type and use-case may have its own technical, business, and compliance requirements. RA profile is the abstraction of these requirements.
The relation between RA profile and other objects may be defined according the following scheme:
Authority----------------\
\
Certificate attributes----\\ /----certificate
\\ /
Compliance profile---------\\\ //-----certificate
RA profile
Approval profile-----------/// \\-----certificate
// \
Interfaces----------------// \----certificate
/
Authorization------------/
For more information, refer to the CZERTAINLY documentation.
Certificate inventory contains all Certificates that were discovered or were imported to the platform. Each Certificate provides comprehensive and consistent information which can be managed.
The following basic lifecycle operations are supported for each Certificate:
- issue
- renew
- revoke
Operations can be automated by the Core, but also can be performed manually by the user.
Certificate has relations to other objects that helps with the management and automation of the Certificate lifecycle:
Location----------\
\
Group--------------\\
certificate-------RA profile
Discovery----------//
/
Owner-------------/
For more information, refer to the CZERTAINLY documentation.
Core support the following protocols for certificate management:
- ACME
Core is provided as a Docker container. Use the 3keycompany/czertainly-core:tagname to pull the required image from the repository. It can be configured using the following environment variables:
| Variable | Description | Required | Default value |
|---|---|---|---|
JDBC_URL |
JDBC URL for database access | Yes | N/A |
JDBC_USERNAME |
Username to access the database | Yes | N/A |
JDBC_PASSWORD |
Password to access the database | Yes | N/A |
DB_SCHEMA |
Database schema to use | No | ejbca |
PORT |
Port where the service is exposed | No | 8080 |
HEADER_NAME |
Name of the header where the certificate of the client can be found | No | X-APP-CERTIFICATE |
HEADER_ENABLED |
True if the certificate should be get from the header | Yes | N/A |
TS_PASSWORD |
Password for the trusted certificate store | Yes | Any |
You may need to configure proxy to allow Core to communicate with external systems.
To enable proxy, use the following environment variables for docker container:
| Variable | Description | Required | Default value |
|---|---|---|---|
HTTP_PROXY |
The proxy URL to use for http connections. Format: <protocol>://<proxy_host>:<proxy_port> or <protocol>://<user>:<password>@<proxy_host>:<proxy_port> |
No | N/A |
HTTPS_PROXY |
The proxy URL to use for https connections. Format: <protocol>://<proxy_host>:<proxy_port> or <protocol>://<user>:<password>@<proxy_host>:<proxy_port> |
No | N/A |
NO_PROXY |
A comma-separated list of host names that shouldn't go through any proxy | No | N/A |
Example values:
HTTP_PROXY=http://user:password@proxy.example.com:3128HTTPS_PROXY=http://user:password@proxy.example.com:3128NO_PROXY=localhost,127.0.0.1,0.0.0.0,10.0.0.0/8,cattle-system.svc,.svc,.cluster.local,my-domain.local
For monitoring and reporting, you can use the information provided by the Core. We strongly recommend trying the Operator UI that is additional component of the CZERTAINLY platform.