Is it possible to delete (not just deactivate) an imported certificate? I can't find any way to do it, and can't find anything about it in the documentation.

The current lemur_email notification system only supports ses or smtp. Mandrill is a popular transactional mail service (built by the guys that make mailchimp).

Adding support for Mandrill would be a nice addition. I have started development on a mandrill plugin (t0xiccode/lemur_mandrill), but rolling this functionality into the "core" lemur_email plugin would make it easier to get started for organisations using it for emails.

We should allow owners to edit or transfer ownership of a given certificate. This ability to should be limited to certificate owners and administrators.

Can we can have Vagrant based installation in addition to Docker?

When passing configuration files to the child gunicorn workers the '-c' configuration flag is not correctly passed to the flask app.

Currently we can only pass the app configuration via env variable or by placing our config in the default location ~/.lemur/lemur.conf.py

The IV is static per key at least. Lemur is using sqlalchemy_utils to encrypt certificates. This in turn
encrypts with AES in CBC mode.

https://github.com/kvesteri/sqlalchemy-utils/blob/master/sqlalchemy_utils/types/encrypted.py#L56

Given a single key, it will use the SHA256 hash of that key for all encryption. It looks like it will use the first 16 bytes of that hash as the IV for each operation.

Currently destination plugins only upload certificates to their new destinations. When a user disassociates a certificate from a destination the plugin should attempt to remove that certificate from the destination in order to keep them in sync.

This would provide the ability to zero in on a user (or group). Should also include a shortcut or checkbox for a user to view only their certificates. This would include any certificate directly created by them as well as any certificates they own transitively through group membership.

Flask restful will be deprecating reqparse in favor of marshmallow
http://marshmallow.readthedocs.org/en/latest/

There are currently a few ugly sys calls to various OpenSSL commands(e.g creating CSRs). With the newest version of cryptography (1.0) we should be able to remove these and use standard library calls instead.

Lemur should not have netflix specific distinguished named defaults in the UI, these should be customizable.

We could do this by:

Providing an endpoint that would read a configuration file such that angular can correctly fill in the default fields.

or

As a build/deploy step ask for these defaults and include them in the javascript.

It looks like 64 character limit

http://stackoverflow.com/questions/5136198/what-strings-are-allowed-in-the-common-name-attribute-in-an-x-509-certificate

Currently the owner, creator and security team (de-duplicated) will receive notifications about expiring certificates. We should allow certificate owners and administrators the ability to add any number of recipients to receive these notifications.

There are use cases where a third party may issue a CSR on your behalf (retaining the private key). It would be helpful to allow Lemur to be able to act as a 'pass through' and issue this certificate directly. This would also be helpful in the case the UI does not support a particular option or extension and could be generated manually.

What is the process for rotating the encryption key used with Lemur? Lets say I accidentally copy it into an IRC chat. What are my next steps?

If there isn't any tooling built-in to help with this, I think it would be a great thing to have. I haven't done much research into the best way to do it, but a good starting point might be: https://cryptography.io/en/latest/fernet/#cryptography.fernet.MultiFernet

It might make sense to look into this at the same time as issue #117 is being addressed.

Lemur should be able to filter multiple columns at the same time with an implicit AND.

Lemur notifies users about certificate expiration 30, 15, 10, 5, 1 days before expiration. We should allow users to configure this interval.

It might be interesting to write a lemur plugin to talk to cloudflare's PKI toolkit:
https://github.com/cloudflare/cfssl

If you create a Root CA, a Sub CA, and a Leaf CA, and look up their certificates, you will see that the chain information presented by lemur of a CA is incomplete.
The Root CA has no chain, which is of course correct.
The Sub CA has no chain.
The Leaf CA has the Sub CA in its chain.

I have setup lemur using lemur-docker and can't get it to create a certificate.

The error returned is:
{"message": "'NoneType' object has no attribute 'owner'"}

I also build it from source myself and had the same error.

The http request sent was:

Request:
curl 'https://app1.example.com/api/1/certificates' 
-X POST
-H 'Pragma: no-cache' -H 'Origin: https://app1.example.com'
-H 'Accept-Encoding: gzip, deflate' 
-H 'Accept-Language: en-GB,en-US;q=0.8,en;q=0.6' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36' -H 'Content-Type: application/json;charset=UTF-8' 
-H 'Accept: application/json, text/plain, */*' 
-H 'Cache-Control: no-cache' 
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE0NDMwOTI1NTcsInN1YiI6MSwiZXhwIjoxNDQzMTc4OTU3fQ.o8qZ28o383YMwVCywRxTNxYTPhFDu-kHHX7yM3qDFq4'
 -H 'Cookie: session=eyJpZGVudGl0eS5hdXRoX3R5cGUiOm51bGwsImlkZW50aXR5LmlkIjoxfQ.COTCBQ.0VA8yUn1KoIoNzlKSJvmXyo8TBo'
 -H 'Connection: keep-alive'
 -H 'Referer: https://app1.example.com/' 
--data-binary '{"country":"","state":"","location":"","organization":"","organizationalUnit":"","owner":"fsdf@sadas","description":"sadsadsa","selectedAuthority":"dsadasdsad","commonName":"asdsa","extensions":{"subAltNames":{"names":[]}},"subAltType":null,"subAltValue":null}' --compressed

Response:
{"message": "'NoneType' object has no attribute 'owner'"}

Any help would be appreciated, lemur looks really cool and I would like to try it out.
Tim

Right now it can be quite confusing to go between "Authority" and what that authorities public certificate actually is. It might make sense to display the public certificate of the authority on the authority page to reduce confusion about the chain.

All private key views should be audited and viewable.

We cannot currently create the default lemur.conf.py with the lemur create_config command. This is because flask script expects that a config be available before it will run any of the commands. Unfortunately this means that our command to create a config fails because deadlock.

I think there might be a way to defer the creation of 'create_app' such that the configuration file is not required to be there upon instantiation.

Current authority type is buried a bit too deeply, we should move it to the first pane of authority creation. This would also allow us to validate the allowable date range of the subca, similar logic that is applied to leaf certificates.

When creating a new certificate, we are often replacing old certificates. Lemur should have ability to specify the ID of the certificate being replaced (if any). This would allow us to mark the old certificate as 'inactive' and silence the notifications for it.

The verisign plugin should be able to poll the verisign API for all issued certificates and ensure that Lemur knows about them.

Currently error messages are displayed for only a period of time. They should be displayed until the user acknowledges the error.

There are some netflix specific code in the SSO flow that should be generalized.

It would be useful if when uploading to a destination if to display a unique identifier for that certificate so it can be found in the corresponding destination.

For instance when uploading a certificate to AWS we would be able to generate the ARN for any given certificate by combining the AWS account id with the certificate name.

This would most likely be added to the plugin destination interface with a unique_identifier property.

Alternatively this could be defined just in the front end as a plugin option that would simply render the unique identifier in javascript.

If the unique identifier cannot be derived we will need to think about how that extra metadata could be stored.

If you create a root CA, and look up the certificate for that CA its description is:
This is the ROOT certificate for the $CN certificate authority.
If you create a subCA off of that rootCA, and look up the certificate for that SubCA its description is:
This is the ROOT certificate for the $CN certificate authority

There should be an ability to stop receiving expiration notifications on a certificate by certificate basis. Currently marking the certificate as 'in-active' is the only way to suppress notifications and may not fit all use cases.

Lemur currently only allows a user to choose a destination during the creation process. There should be a way to allow a user to upload a certificate to an arbitrary number of destinations after is has been created.

This would be useful in two scenarios:

1. The user really wants to use an ELB but forgot to upload it to AWS during the creation
2. Requirements changed and the certificate needs to be in a different (or more) AWS account

Currently authority details are not very detailed,

We should add:
Display owning DL and provide use based on if the user has the owning team DL
Should allow the owner to be edited

Currently there is no certificate approval process within Lemur. I would propose this feature be added in such as way that allows an administer to mark a given domain as 'sensitive'.

When a certificate is requested and contains and domain that is marked as 'sensitive' it should not be issued and instead be marked with a status of 'pending'. This could possibly send an email notification to admins to 'approve' the certificate.

Once marked as 'approved' by an administrator or a user with a special permission (maybe an approver role?) We should issue the original request and notify the user.

These sensitive domains should be configurable in the Lemur configuration file or eventually in the UI. These should be simple regexes such that we can loosely match various levels of domains.

This would allow us to mark test.example.com as sensitive but allow myapp.test.example.com to be issued.

The new architecture should support the loading of various kinds of plugins:

• Issuers -- Would anybody creating certificates, VeriSign, Digicert, etc.
• Sources -- Could be anywhere certificates are stored outside of Lemur (AWS, SourceCode, Deployed on instances)
• Destinations -- Anywhere you might want to store a certificate outside of Lemur (AWS)

Lemur should be able to filter by and track certificate signing signatures (sha1 vs sha2) to help with sha1 remediation.

2015-08-26 20:33:36,751 ERROR: 'NoneType' object has no attribute 'name' [in /apps/lemur/lemur/common/utils.py:60]
Traceback (most recent call last):
  File "/apps/lemur/lemur/common/utils.py", line 46, in wrapper
    resp = f(*args, **kwargs)
  File "/apps/lemur/lemur/certificates/views.py", line 575, in put
    permission = UpdateCertificatePermission(certificate_id, role.name)
AttributeError: 'NoneType' object has no attribute 'name'
2015-08-26 20:34:08,236 ERROR: 'NoneType' object has no attribute 'name' [in /apps/lemur/lemur/common/utils.py:60]
Traceback (most recent call last):
  File "/apps/lemur/lemur/common/utils.py", line 46, in wrapper
    resp = f(*args, **kwargs)
  File "/apps/lemur/lemur/certificates/views.py", line 575, in put
    permission = UpdateCertificatePermission(certificate_id, role.name)
AttributeError: 'NoneType' object has no attribute 'name'
2015-08-26 20:37:19,147 ERROR: 'NoneType' object has no attribute 'name' [in /apps/lemur/lemur/common/utils.py:60]
Traceback (most recent call last):
  File "/apps/lemur/lemur/common/utils.py", line 46, in wrapper
    resp = f(*args, **kwargs)
  File "/apps/lemur/lemur/certificates/views.py", line 575, in put
    permission = UpdateCertificatePermission(certificate_id, role.name)
AttributeError: 'NoneType' object has no attribute 'name'

If user enters a owner that has no associated role with it, they are unable to edit the owner.

With #123 in place, we will need a script to be able to move from the older style sqlalchemy_utils encrypted column to the new fernet encrypted column.

This will be handled via a alembic migration that will create an intermediate table such that we can convert between the new encryption scheme and the old scheme. New deployments should not have to undergo this migration.

Lemur constructed permalink to certificates such that they can be shared via email or IM and that certificate would be immediately viewable in the UI instead of asking the receiver to search for the certificate name.

We currently store our certificates in PEM format. It would be nice if we could support output plugins.

The first output plugin I would expect to create is for Java trust and key stores.

Lemur should attempt to see if a role exists for the owning team email, if it does it should allow any user with that role to have owner permission.

Plugins are duplicated in the authority dropdown.

Currently the form validation is such that as long as there is a value in the 'Certificate Authority' field it is considered valid. We should ensure that the user actually selected a 'Certificate Authority' object before allowing them to submit the form.

Additionally the API should include more validation and messages around requests submitted without a valid authority.