| commit | c5f65f94cd903cc16bba58964863229eb35ec41c | [log] [tgz] |
|---|---|---|
| author | Carl Lundin <108372512+clundin25@users.noreply.github.com> | Wed Sep 28 23:03:15 2022 +0000 |
| committer | GitHub <noreply@github.com> | Wed Sep 28 16:03:15 2022 -0700 |
| tree | 26607aaea8d3ebf96ab4f6f98041ed7ec5e149f5 | |
| parent | 962b643d6377bb5ab8678e062c100b9d23f53ba9 [diff] |
docs: Update the README to the latest ECP config schema. (#38)
Google Enterprise Certificate Proxies (ECP) are part of the Google Cloud Zero Trust architecture that enables mutual authentication with client-side certificates. This repository contains a set of proxies/modules that can be used by clients or toolings to interact with certificates that are stored in protected key storage systems.
To interact the client certificates, application code should not need to use most of these proxies within this repository directly. Instead, the application should leverage the clients and toolings provided by Google such as Cloud SDK to have a more convenient developer experience.
Currently ECP is in Preview stage and all the APIs and configurations are subject to change.
The following platforms/keystores are supported by ECP:
Before using ECP with your application/client, you should follow the instructions here to configure your enterprise certificate policies with Access Context Manager.
Install Openssl brew install openssl@1.1
Install gcloud CLI (Cloud SDK) at: https://cloud.google.com/sdk/docs/install
Download the ECP binary based on your OS from the latest Github release.
Unzip the downloaded zip and move all the binaries into the following directory:
%AppData%/gcloud/enterprise_cert.~/.config/gcloud/enterprise_cert.If using gcloud’s bundled Python, skip to the next step. If not, install pyopenssl==22.0.0 and cryptography==36.0.2
Create a new JSON file at .config/gcloud/certificate_config.json.
$ gcloud config set context_aware/enterprise_certificate_config_file_path "<json file path>".GOOGLE_API_CERTIFICATE_CONFIG environment variable.Update the certificate_config.json file with details about the certificate (See Configuration section for details.)
Enable usage of client certificates through gcloud CLI config command:
gcloud config set context_aware/use_client_certificate true
ECP relies on the certificate_config.json file to read all the metadata information of locating the certificate. The contents of this JSON file looks like the following:
{ "cert_configs": { "macos_keychain": { "issuer": "YOUR_CERT_ISSUER", }, }, "libs": { "ecp": "~/.config/gcloud/enterprise_cert/ecp", "ecp_client": "~/.config/gcloud/enterprise_cert/libecp.dylib", "tls_offload": "~/.config/gcloud/enterprise_cert/libtls_offload.dylib", }, "version": 1, }
{ "cert_configs": { "windows_my_store": { "store": "MY", "provider": "current_user", "issuer": "YOUR_CERT_ISSUER", }, }, "libs": { "ecp": "%AppData%/gcloud/enterprise_cert/ecp.exe", "ecp_client": "%AppData%/gcloud/enterprise_cert/libecp.dll", "tls_offload": "%AppData%/gcloud/enterprise_cert/libtls_offload.dll", }, "version": 1, }
{ "cert_configs": { "pkcs11": { "label": "YOUR_TOKEN_LABEL", "user_pin": "YOUR_PIN", "slot": "YOUR_SLOT", "module": "The PKCS #11 module library file path", }, }, "libs": { "ecp": "~/.config/gcloud/enterprise_cert/ecp", "ecp_client": "~/.config/gcloud/enterprise_cert/libecp.so", "tls_offload": "~/.config/gcloud/enterprise_cert/libtls_offload.so", }, "version": 1, }
For amd64 MacOS, run ./build/scripts/darwin_amd64.sh. The binaries will be placed in build/bin/darwin_amd64 folder.
For amd64 Linux, run ./build/scripts/linux_amd64.sh. The binaries will be placed in build/bin/linux_amd64 folder.
For amd64 Windows, in powershell terminal, run powershell.exe .\build\scripts\windows_amd64.sh. The binaries will be placed in build\bin\windows_amd64 folder.
Contributions to this library are always welcome and highly encouraged. See the CONTRIBUTING documentation for more information on how to get started.
Apache - See LICENSE for more information.