# CSR Proxy
*CSR Proxy is a simple service to sign the clients' CSR via the ACME server.*
[](https://pypi.python.org/pypi/csr_proxy/)
[](https://opensource.org/licenses/BSD-3-Clause)
[](https://github.com/charliermarsh/ruff)
---
**Documentation**: [https://docs.gufolabs.com/csr_proxy/](https://docs.gufolabs.com/csr_proxy/)
**Source Code**: [https://github.com/gufolabs/csr_proxy/](https://github.com/gufolabs/csr_proxy/)
---
The self-signed certificates are no longer sufficient, posing challenges in distributing trial and evaluation versions of software with web interfaces. To address this, software publishers typically consider the following options:
1. **Delegate Certificate Signing to the User:**
- Pros: Gives control to advanced users.
- Cons: Requires user knowledge of PKI, complex infrastructure, or additional expenses.
2. **Generate Self-Signed Certificate with mkcert:**
- Pros: Suitable for developers.
- Cons: Compromises system security, demands browser reloading, and adds complexity.
3. **Order a Certificate from Global CA:**
- Pros: Secure, but expensive.
- Cons: Violates TLS security principles by exposing the private key.
4. **Use `localhost.direct` Certificate or Similar Services:**
- Pros: Similar to the previous approach.
- Cons: Public exposure of the public key.
5. **Order Separate Certificates for Each User:**
- Pros: Secure but time-consuming and costly.
- Cons: Mutual trust issue; the publisher generates and knows the client's private key.
6. **Generate Client's Key and Certificate via ACME Server:**
- Pros: Less expensive.
- Cons: Mutual trust issue persists; the publisher generates and knows the client's private key.
7. **Negotiate with ACME Server from Client's Site:**
- Pros: Reliable, but requires additional infrastructure setup.
- Cons: Suitable for advanced users, not the default choice.
Considering the need for mutual trust and simplicity in software evaluation,
the publisher should generate a private certificate on the user's side without touching it.
The published also needs to maintain all necessary infrastructure for the certificate signing.
Enter the CSR Proxy.
## CSR Proxy Overview
The CSR Proxy is a straightforward service executed on the publisher's side. It:
- Receives the Certificate Signing Request (CSR) from the client.
- Proxies the CSR to the ACME server for signing.
- Handles ACME challenge fulfillment, shielding the end user from complexity.
The sequence diagram is shown below. The primal parties are:
- **Client**: An entity demanding the certificate signing.
- **CSR Proxy**: The certificate signing service, consists of two parts:
- **API**: The client-facing API, performing ACME interaction on behalf of the client. Also performs DNS provisioning.
- **DNS**: PowerDNS service, providing a provisioning interface to API and serving DNS requests.
- **ACME**: Any RFC-8555 compatible ACME server, like Let's Encrypt.
``` mermaid
sequenceDiagram
participant Client
box CSR Proxy
participant API
participant DNS
end
participant ACME
Client->>Client: Generate private RSA key
Client->>Client: Create CSR
Client->>API: CSR sign request
activate API
API->>ACME: New order
activate ACME
ACME->>API: Order authorization
deactivate ACME
API->>ACME: Get challenges
activate ACME
ACME->>API: Challenges
deactivate ACME
API->>DNS: Put _acme-challenges RR
activate DNS
DNS->>API: RR is ready
deactivate DNS
API->>ACME: Respond dns-01 challenge
activate ACME
ACME->>API: Status
ACME->>DNS: Query _acme-challenge RR
activate DNS
DNS->>ACME: _acme-challenge RR
deactivate DNS
API->>ACME: Check autorization
ACME->>API: Authorization status
API->>ACME: Finalize
ACME->>API: Order status
deactivate ACME
API->>Client: Signed certificate
deactivate API
```
## On Gufo Stack
This product is a part of [Gufo Stack][Gufo Stack] - the collaborative effort
led by [Gufo Labs][Gufo Labs]. Our goal is to create a robust and flexible
set of tools to create network management software and automate
routine administration tasks.
To do this, we extract the key technologies that have proven themselves
in the [NOC][NOC] and bring them as separate packages. Then we work on API,
performance tuning, documentation, and testing. The [NOC][NOC] uses the final result
as the external dependencies.
[Gufo Stack][Gufo Stack] makes the [NOC][NOC] better, and this is our primary task. But other products
can benefit from [Gufo Stack][Gufo Stack] too. So we believe that our effort will make
the other network management products better.
[Gufo Labs]: https://gufolabs.com/
[Gufo Stack]: https://gufolabs.com/products/gufo-stack/
[NOC]: https://getnoc.com/
Raw data
{
"_id": null,
"home_page": "",
"name": "csr-proxy",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": "",
"keywords": "ACME,CSR,Proxy",
"author": "Gufo Labs",
"author_email": "",
"download_url": "https://files.pythonhosted.org/packages/67/12/8abad6f0564354eb35552960e5da0db07805fb6106f949dce5d6d096d71f/csr_proxy-0.1.0.tar.gz",
"platform": null,
"description": "# CSR Proxy\n\n*CSR Proxy is a simple service to sign the clients' CSR via the ACME server.*\n\n[](https://pypi.python.org/pypi/csr_proxy/)\n\n[](https://opensource.org/licenses/BSD-3-Clause)\n\n\n[](https://github.com/charliermarsh/ruff)\n---\n\n**Documentation**: [https://docs.gufolabs.com/csr_proxy/](https://docs.gufolabs.com/csr_proxy/)\n\n**Source Code**: [https://github.com/gufolabs/csr_proxy/](https://github.com/gufolabs/csr_proxy/)\n\n---\nThe self-signed certificates are no longer sufficient, posing challenges in distributing trial and evaluation versions of software with web interfaces. To address this, software publishers typically consider the following options:\n\n1. **Delegate Certificate Signing to the User:**\n\n - Pros: Gives control to advanced users.\n - Cons: Requires user knowledge of PKI, complex infrastructure, or additional expenses.\n\n2. **Generate Self-Signed Certificate with mkcert:**\n\n - Pros: Suitable for developers.\n - Cons: Compromises system security, demands browser reloading, and adds complexity.\n\n3. **Order a Certificate from Global CA:**\n\n - Pros: Secure, but expensive.\n - Cons: Violates TLS security principles by exposing the private key.\n\n4. **Use `localhost.direct` Certificate or Similar Services:**\n\n - Pros: Similar to the previous approach.\n - Cons: Public exposure of the public key.\n\n5. **Order Separate Certificates for Each User:**\n\n - Pros: Secure but time-consuming and costly.\n - Cons: Mutual trust issue; the publisher generates and knows the client's private key.\n\n6. **Generate Client's Key and Certificate via ACME Server:**\n\n - Pros: Less expensive.\n - Cons: Mutual trust issue persists; the publisher generates and knows the client's private key.\n\n7. **Negotiate with ACME Server from Client's Site:**\n\n - Pros: Reliable, but requires additional infrastructure setup.\n - Cons: Suitable for advanced users, not the default choice.\n\nConsidering the need for mutual trust and simplicity in software evaluation, \nthe publisher should generate a private certificate on the user's side without touching it.\nThe published also needs to maintain all necessary infrastructure for the certificate signing.\nEnter the CSR Proxy.\n\n## CSR Proxy Overview\n\nThe CSR Proxy is a straightforward service executed on the publisher's side. It:\n\n- Receives the Certificate Signing Request (CSR) from the client.\n- Proxies the CSR to the ACME server for signing.\n- Handles ACME challenge fulfillment, shielding the end user from complexity.\n\nThe sequence diagram is shown below. The primal parties are:\n\n- **Client**: An entity demanding the certificate signing.\n\n- **CSR Proxy**: The certificate signing service, consists of two parts:\n\n - **API**: The client-facing API, performing ACME interaction on behalf of the client. Also performs DNS provisioning.\n - **DNS**: PowerDNS service, providing a provisioning interface to API and serving DNS requests.\n\n- **ACME**: Any RFC-8555 compatible ACME server, like Let's Encrypt.\n\n``` mermaid\nsequenceDiagram\n participant Client\n box CSR Proxy\n participant API\n participant DNS\n end\n participant ACME\n Client->>Client: Generate private RSA key\n Client->>Client: Create CSR\n Client->>API: CSR sign request\n activate API\n API->>ACME: New order\n activate ACME\n ACME->>API: Order authorization\n deactivate ACME\n API->>ACME: Get challenges\n activate ACME\n ACME->>API: Challenges\n deactivate ACME\n API->>DNS: Put _acme-challenges RR\n activate DNS\n DNS->>API: RR is ready\n deactivate DNS\n API->>ACME: Respond dns-01 challenge\n activate ACME\n ACME->>API: Status\n ACME->>DNS: Query _acme-challenge RR\n activate DNS\n DNS->>ACME: _acme-challenge RR\n deactivate DNS\n API->>ACME: Check autorization\n ACME->>API: Authorization status\n API->>ACME: Finalize\n ACME->>API: Order status \n deactivate ACME\n API->>Client: Signed certificate\n deactivate API \n```\n\n## On Gufo Stack\n\nThis product is a part of [Gufo Stack][Gufo Stack] - the collaborative effort \nled by [Gufo Labs][Gufo Labs]. Our goal is to create a robust and flexible \nset of tools to create network management software and automate \nroutine administration tasks.\n\nTo do this, we extract the key technologies that have proven themselves \nin the [NOC][NOC] and bring them as separate packages. Then we work on API,\nperformance tuning, documentation, and testing. The [NOC][NOC] uses the final result\nas the external dependencies.\n\n[Gufo Stack][Gufo Stack] makes the [NOC][NOC] better, and this is our primary task. But other products\ncan benefit from [Gufo Stack][Gufo Stack] too. So we believe that our effort will make \nthe other network management products better.\n\n[Gufo Labs]: https://gufolabs.com/\n[Gufo Stack]: https://gufolabs.com/products/gufo-stack/\n[NOC]: https://getnoc.com/\n",
"bugtrack_url": null,
"license": "BSD 3-Clause License",
"summary": "",
"version": "0.1.0",
"project_urls": {
"Bug Tracker": "https://github.com/gufolabs/csr_proxy/issues",
"Changelog": "https://github.com/gufolabs/csr_proxy/blob/master/CHANGELOG.md",
"Documentation": "https://docs.gufolabs.com/csr_proxy/",
"Homepage": "https://github.com/gufolabs/csr_proxy/",
"Source Code": "https://github.com/gufolabs/csr_proxy/"
},
"split_keywords": [
"acme",
"csr",
"proxy"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "e854f0e8e4a619511adfdc7b6c78ae8d07b15242f859dc0007187e99a6bb58e1",
"md5": "6cf78819a911e88a44ca26bcc3b7a5c0",
"sha256": "b487f46f610b91dfd6dad10c330653a1b03585e1a17b8399df11da762118b4e2"
},
"downloads": -1,
"filename": "csr_proxy-0.1.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "6cf78819a911e88a44ca26bcc3b7a5c0",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8",
"size": 10247,
"upload_time": "2023-11-20T13:42:47",
"upload_time_iso_8601": "2023-11-20T13:42:47.603062Z",
"url": "https://files.pythonhosted.org/packages/e8/54/f0e8e4a619511adfdc7b6c78ae8d07b15242f859dc0007187e99a6bb58e1/csr_proxy-0.1.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "67128abad6f0564354eb35552960e5da0db07805fb6106f949dce5d6d096d71f",
"md5": "ece536c4ece44fa8850e93d38e3a2c4c",
"sha256": "de21a3efad6e28e07e34e9efb4317fc45af3d737739cd1ba95a24c93ac70c330"
},
"downloads": -1,
"filename": "csr_proxy-0.1.0.tar.gz",
"has_sig": false,
"md5_digest": "ece536c4ece44fa8850e93d38e3a2c4c",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 15224,
"upload_time": "2023-11-20T13:42:49",
"upload_time_iso_8601": "2023-11-20T13:42:49.129286Z",
"url": "https://files.pythonhosted.org/packages/67/12/8abad6f0564354eb35552960e5da0db07805fb6106f949dce5d6d096d71f/csr_proxy-0.1.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-11-20 13:42:49",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "gufolabs",
"github_project": "csr_proxy",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "csr-proxy"
}
JSON
