cfssl icon indicating copy to clipboard operation
cfssl copied to clipboard
verified publisher icon cloudflare

[Feature Request] Allow loading signing config from environment variable

Open ngarside opened this issue 2 years ago • 0 comments

I'm using CFSSL inside a docker container to sign leaf certificates. The container is configured with a CA, and provides a web API which uses CFSSL to sign CSRs.

The signed certificates inherit the not before/after dates from the CA. Currently this requires that the container write a config JSON file to disk on startup which contains the CA's not before/after dates.

{
	"signing": {
		"default": {
			"not_before": "...",
			"expiry": "..."
		}
	}
}

Which is then used in CFSSL like so:

cfssl sign -ca env:CA -ca-key env:CA_KEY -config /path/to/config.json -hostname example.com -

To improve container security I'd ideally like to run it atop a readonly filesystem, but writing the config file to disk prevents this.

Would it be possible to allow CFSSL to read the config file from an environment variable, similar to what is allowed for the -ca parameter?

cfssl sign -ca env:CA -ca-key env:CA_KEY -config env:CONFIG_JSON -hostname example.com -

Or indeed any other method of setting the configuration values without writing to disk would work.

Thanks, Nathan

ngarside avatar Apr 18 '24 11:04 ngarside