Automated collection of information about the expiration date of certificates in Cryptopro

What will be in the article

• preparing a script to collect data on the status of certificates

• building a Docker image with Cryptopro 5 based on Fedora 38

• loading certificates into container

Preparing a script to collect data on the status of certificates

The main problem for the employees of the organization for which I did this modification was that they had at their disposal a large number of certificates used to sign and encrypt files. Certificates, of course, had varying expiration dates, and it was very difficult to keep track of expired certificates in order to release a new version in a timely manner.

To solve this problem, it was decided to develop a small addition to Cryptopro 5, which helped update information about available certificates.

#!/bin/sh

CERTS_CHECK=$(certmgr -list | grep -E "Subject ")

# check if certs exists
if [[ $CERTS_CHECK == *"Subject "* ]]; then
	touch ./result.json
else
	echo "[]" > ./result.json
    exit 0
fi

CERTS_QTY=$(certmgr -list | grep -E "Subject " | wc -l)
COUNTER=1

# prepare data from certmgr
certmgr -list | grep -E "Subject " | awk -F'CN=' '{ print $2 }' | tr -d '"' > ./names.txt
certmgr -list | grep -E "Subject " | awk -F'E=' '{ print $2 }' | cut -d "," -f 1 | tr -d '"' > ./emails.txt
certmgr -list | grep -E "Not valid after" | cut -d ":" -f 2 | cut -d " " -f 2 | tr -d '"' > ./valid_to.txt

# prepare result json
echo "[" > ./result.json
while (($COUNTER <= $CERTS_QTY ))
do
	echo '	{' >> ./result.json
	echo '		"name": "'$(cat ./names.txt | tail -n $COUNTER | head -n 1)'",'>> ./result.json
	echo '		"e-mail": "'$(cat ./emails.txt | tail -n $COUNTER | head -n 1)'",' >> ./result.json
	echo '		"valid-to": "'$(cat ./valid_to.txt | tail -n $COUNTER | head -n 1)'"' >> ./result.json
	echo '	}' >> ./result.json
	echo "	," >> ./result.json
	COUNTER=$((COUNTER + 1))
done
sed -i '$ d' ./result.json
echo "]" >> ./result.json

# remove tmp files
rm -f ./names.txt
rm -f ./emails.txt
rm -f ./valid_to.txt

# print result if not empty
if [[ $CERTS_CHECK == *"Subject "* ]]; then
	cat ./result.json
fi

The result of the script is the file result.json, which contains information about the validity period of the script, the email of the certificate owner and CN.

The script also displays the contents of the result.json file to the console if certificates are installed in Cryptopro, or a warning about the absence of certificates if there are none.

Building a Docker image with Cryptopro 5 based on fedora 38

Everything here is as simple as five cents. Download the rpm distribution, make a Dockerfile and build the image. The distribution is available at this link – https://www.cryptopro.ru/products/csp.

Please note that it is possible to select both deb and rpm distribution.

Dockerfile contents:

FROM fedora:38

WORKDIR /usr/src/cryptopro

COPY ./distr ./distr

RUN yes Y | ./distr/install.sh kc1
RUN ln -s /opt/cprocsp/sbin/amd64/cpconfig /usr/bin/cpconfig
RUN ln -s /opt/cprocsp/bin/amd64/certmgr /usr/bin/certmgr
RUN ln -s /opt/cprocsp/bin/amd64/cryptcp /usr/bin/cryptcp

COPY ./src/certs_info /usr/bin/certs_info

CMD [ "tail", "-f", "/dev/null" ]

The distr folder contains the unpacked archive with the Cryptopro 5 distribution kit. The src folder contains the executable script certs_info, which was described earlier.

Please note that after installation you need to make a soft link to the executable files so as not to specify the full path to them every time you run a particular command. This example uses only three executable commands: cpconfig, certmgr, and cryptcp. If you need other commands, don’t forget to add them to this list.

To build the image, you need to run the docker build command.

docker build -t cryptopro5 .

To start the container, you need to run the docker run command.

docker run -v ./cer:/cer -d --name cryptopro5 cryptopro5

Pay attention to the shared directory cer. You will need it to install certificates.

To check the license status, you need to run the command in the running container.

docker exec cryptopro5 cpconfig -license -view

Loading certificates into a container

To simplify testing, it is possible to download test certificates on the Cryptopro website. They are available at this link – http://testca2012.cryptopro.ru/ui/.

To install a root certificate, you need to use the -store parameter with the value root. Also note that during the certificate installation process, the utility waits for a response from the user; the response is not the letter “Y” but the letter “o”.

docker exec cryptopro5 bash -c "yes o | certmgr -install -store root -file /cer/rootca.cer"

To install a third-party certificate, the -store parameter is not needed.

docker exec cryptopro5 certmgr -install -file /cer/subca.cer

Now you can check the status of third-party certificates using the script you wrote earlier.

docker exec cryptopro5 certs_info

Conclusion

Further steps to automate the process of updating certificates were carried out using SOAR; they included periodically polling the container with Cryptopro for outdated certificates (here json generated by the script was used), generating warning notifications before the certificate expired and sending instructions for replacing the certificate with e-mail of responsible persons.