bcollet/step-ca-inspector
1
0
Fork 0
Code Issues Pull requests Releases Packages 1 Activity Actions
Database inspector for StepCA
24 commits 1 branch 15 tags 141 KiB
Find a file
Exact
Benjamin Collet 3d82d7e29d
 Cleanup unused variables, imported modules and unnecessary f-strings
2025-11-01 10:52:48 +01:00
step-ca-inspector Cleanup unused variables, imported modules and unnecessary f-strings 2025-11-01 10:52:48 +01:00
.gitignore Initial commit 2025-03-23 18:07:32 +01:00
config.yaml.dist Limit metrics generation for certificate expired for longer than a configurable number of days 2025-10-31 08:46:41 +01:00
Dockerfile Bump Docker python version 2025-04-02 22:32:25 +02:00
LICENSE Add licence file and basic readme 2025-09-13 21:55:48 +02:00
README.md Update README 2025-09-30 08:27:19 +02:00
requirements.txt Add support for YK firmware version check and rework attestation extensions parsing 2025-10-21 07:54:42 +02:00

README.md

StepCA Inspector

StepCA Inspector is a companion app to step-ca that exposes Prometheus metrics about your CA and offer API endpoints to get x509 and SSH certificate data by connecting directly to step-ca's database.

Currently only MariaDB/MySQL is supported, however adding support for PostgreSQL should be easy.

Additionally it can serve as a webhook endpoint for certificate validation. Currently the following validation plugins are available:

  • yubikey_embedded_attestation: validate a Yubikey attestation cross-signature (as added to the certificate signing request by yubico-piv-tool --attestation) and check it against configured pin and touch policies.
  • scep_static: validate a SCEP challenge and certificate signing request data against a static configuration.
  • hashicorp_vault: validate a SCEP challenge and certificate signing request data against data present in a Hashicorp Vault instance.

A CLI client is also available here.

Quick start

cd step-ca-inspector
export STEP_CA_INSPECTOR_LOGLEVEL=DEBUG
export STEP_CA_INSPECTOR_CONFIGURATION=../config.yaml
uvicorn main:app --reload

Prometheus metrics

Prometheus metrics are available at the /metrics endpoint and are refreshed every 15 seconds.

x509 certificates

Common labels

Label Description Example
subject String representation of the certificate subject CN=rns-router.senf.fr
san Comma-separated string representation of Subject Alternative Names DNS:home-virt3-kvm.senf.fr,DNS:home-virt3-kvm.sheep-barb.ts.net
serial Certificate serial number 182912013496377385330799153517025252323
provisioner StepCA provisioner used to request the certificate scep-network
provisioner_type StepCA provisioner type SCEP

Metrics

Metric Type Description
step_ca_x509_certificate_not_before_timestamp_seconds Gauge Certificate not valid before timestamp
step_ca_x509_certificate_not_after_timestamp_seconds Gauge Certificate not valid after timestamp
step_ca_x509_certificate_revoked_at_timestamp_seconds Gauge Certificate revoked at timestamp
step_ca_x509_certificate_status Gauge Certificate status

SSH certificates

Common labels

Label Description Example
key_id SSH key ID benjamin@example.com
principals Comma-separated list of SSH principals bcollet,benjamin@example.com,jumphost-user,console-user,network-admin
serial SSH certificate serial number 10060537534291381716
certificate_type SSH certificate type (Host or User) User

Metrics

Metric Type Description
step_ca_ssh_certificate_not_before_timestamp_seconds Gauge Certificate not valid before timestamp
step_ca_ssh_certificate_not_after_timestamp_seconds Gauge Certificate not valid after timestamp
step_ca_ssh_certificate_revoked_at_timestamp_seconds Gauge Certificate revoked at timestamp
step_ca_ssh_certificate_status Gauge Certificate status

Certificate status

Value Status
1 Revoked
2 Expired
3 Valid

API endpoints

OpenAPI (formerly Swagger) documentation is available at /docs. Alternatively, Redocly documentation is available at /redoc.