⁉️ Usage¶

🐳 Docker image¶

To get CertBob, use the following Docker image:

harbor.confirm.ch/certbob/certbob

🔌 Integrations¶

OIDC¶

With OpenID connect, CertBob allows the authentication of users via an existing OIDC IdP (SSO).

Local authentication¶

CertBob also allows for an interactive authentication of local users.

Mattermost¶

Mattermost provides custom Slash commands, which are leveraged by CertBob to issue new certificates.

With this integration, Mattermost users (aka employees) which are already authenticated can easily obtain new certificates, without additional external authentication.

See also

To configure Mattermost, set the MATTERMOST_TOKEN.

Note

The CertBob & Mattermost communication works like this:

$!theme blueprint @startuml actor User ==Entrypoint== ||50|| User -> Mattermost : **Chat input**\nEnters ""/cert download"" ||50|| ==Request issue link== ||50|| Mattermost -> CertBob : **HTTP request**\n""POST /request""\n""token: <secret Mattermost token>"" note over CertBob 1. Validates the ""Mattermost token"" 2. Creates a new short-lived ""JWT token"" 3. Creates a new ""/issue?token=<JWT token>"" link end note CertBob -> Mattermost : **HTTP response**\n""go to /issue?token=<JWT token>"" Mattermost -> User : **Action**\nInstructs client to go to ""/issue?token=<JWT token>"" ||50|| ==Issue certificate== ||50|| User -> CertBob : **HTTP request**\n""GET /issue?token=<JWT token>"" note over CertBob 1. Validates the ""JWT token"" 2. Create a new certificate and private key end note CertBob -> CA: **Request**\nSend certificate to CA\nProvides «provisioner password» note over CA 1. Validates «provisioner password» 2. Signs certificate end note CA -> CertBob: **Response**\nCertificate signed by CA note over CertBob Convert certificate & key to PKCS12 (""pfx"") end note CertBob -> User: **HTTP repsonse**\nProvides ""user_cert.pfx"" @enduml$