Herbert is a simple signing server for cloud environments in which newly created servers need the ability to provision their own certificates signed by an internal CA. This is intended for use with Ansible and on an environment like Google Compute Engine.
A note on naming: I wanted to name this project something related to guarding, and Kerberos came to mind. However, the name Kerberos is already associated with some pretty terrible things in the IT world. A combination of thinking about the name Kerberos and the Haskellism of starting project names with 'H' resulted in the name Herbert.
Herbert provides an HTTP server that receives certificate signing requests. The signing requests are written to acid-state and every new CSR will send an email to a specified email address. The responsible person(s) will then have to approve the signing manually.
The requesting machine can poll Herbert for the status of the request and eventually receive the signed certificates.
Herbert can recognize several certificates as administration certificates, the command line tool
herbert-cli can be used in combination with an administrative certificate to approve/decline a CSR and to revoke existing certificates.
Herbert internally uses OpenSSL for the processing of signing requests. The library used for bindings is HsOpenSSL.
All data is stored in acid-state.