crypto: add certificate discovery to automatically import certificates from lets encrypt
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #1835
This commit is contained in:
Jens Langhammer
57
website/docs/core/certificates.md
Normal file
57
website/docs/core/certificates.md
Normal file
@ -0,0 +1,57 @@
|
||||
---
|
||||
title: Certificates
|
||||
---
|
||||
|
||||
Certificates in authentik are used for the following use cases:
|
||||
|
||||
- Signing and verifying SAML Requests and Responses
|
||||
- Signing JSON Web Tokens for OAuth and OIDC
|
||||
- Connecting to remote docker hosts using the Docker integration
|
||||
- Verifying LDAP Servers' certificates
|
||||
- Encrypting outposts's endpoints
|
||||
|
||||
## Default certificate
|
||||
|
||||
Every authentik install generates a self-signed certificate on the first start. The certificate is called *authentik Self-signed Certificate* and is valid for 1 year.
|
||||
|
||||
This certificate is generated to be used as a default for all OAuth2/OIDC providers, as these don't require the certificate to be configured on both sides (the signature of a JWT is validated using the [JWKS](https://auth0.com/docs/security/tokens/json-web-tokens/json-web-key-sets) URL).
|
||||
|
||||
This certificate can also be used for SAML Providers/Sources, just keep in mind that the certificate is only valid for a year. Some SAML applications require the certificate to be valid, so they might need to be rotated regularly.
|
||||
|
||||
For SAML use-cases, you can generate a Certificate thats valid for longer than 1 year, on your own risk.
|
||||
|
||||
## External certificates
|
||||
|
||||
To use externally managed certificates, for example generated with certbot or HashiCorp Vault, you can use the discovery feature.
|
||||
|
||||
The docker-compose installation maps a `certs` directory to `/certs`, you can simply use this as an output directory for certbot.
|
||||
|
||||
For Kubernetes, you can map custom secrets/volumes under `/certs`.
|
||||
|
||||
You can also bind mount single files into the folder, as long as they fall under this naming schema.
|
||||
|
||||
- Files in the root directory will be imported based on their filename.
|
||||
|
||||
`/foo.pem` Will be imported as the keypair `foo`. Based on its content its either imported as certificate or private key.
|
||||
|
||||
Currently, only RSA Keys are supported, so if the file contains `BEGIN RSA PRIVATE KEY` it will imported as private key.
|
||||
|
||||
Otherwise it will be imported as certificate.
|
||||
|
||||
- If the file is called `fullchain.pem` or `privkey.pem` (the output naming of certbot), they will get the name of the parent folder.
|
||||
- Files can be in any arbitrary file structure, and can have extension.
|
||||
|
||||
```
|
||||
certs/
|
||||
├── baz
|
||||
│ └── bar.baz
|
||||
│ ├── fullchain.pem
|
||||
│ └── privkey.key
|
||||
├── foo.bar
|
||||
│ ├── fullchain.pem
|
||||
│ └── privkey.key
|
||||
├── foo.key
|
||||
└── foo.pem
|
||||
```
|
||||
|
||||
Files are checked every 5 minutes, and will trigger an Outpost refresh if the files differ.
|
||||
@ -22,7 +22,12 @@ module.exports = {
|
||||
type: "category",
|
||||
label: "Core Concepts",
|
||||
collapsed: false,
|
||||
items: ["core/terminology", "core/applications", "core/tenants"],
|
||||
items: [
|
||||
"core/terminology",
|
||||
"core/applications",
|
||||
"core/tenants",
|
||||
"core/certificates",
|
||||
],
|
||||
},
|
||||
{
|
||||
type: "category",
|
||||
|
||||
Reference in New Issue
Block a user