New prototype block for managing device identity certificates

I’m working on a prototype Balena Block for creating asymmetric key pairs, generating CSRs, self-signed certs, and TLSA records (for publishing client certs as DANE DNS records).

For context: I use this code in a few of my Balena projects. For maintainability, I want to have one source of truth so that if I extend the tool to support another public key algo (for instance) I won’t need to update every instance of the identity manager. This places all crypto assets in the same directory, and the assumption is that the volume will only be mounted where access to the private key is necessary.

I would love to get feedback on this, and if it can be tweaked to be more generally useful, I’m open to making changes.

Here’s the repo: GitHub - ValiMail/identity-manager: Balena Block for managing DNS-bound device identity

It hasn’t been published as a block yet, so depending on how you deploy, you may need to pull it in as a git submodule.

Hey @awilson your balenablock looks great!

We just had an internal hackathon this week and one of the things I was working on was a template balenablock repo to help people get started with blocks. We don’t currently host balenablock images, so something I was experimenting with was using GitHub actions to self-publish docker images for the blocks; you might find this useful for sharing the pre-built images for your block. Check out the .github/workflows/publish.yml to see how we’re doing this!

All the best,
Alex

Thanks @bucknalla that template repo is really helpful!