Skip to content
forked from cgzones/easy-ca

OpenSSL wrapper scripts for managing basic CA functions

License

Notifications You must be signed in to change notification settings

tomberek/easy-ca

 
 

Repository files navigation

easy-ca

OpenSSL wrapper scripts for managing basic CA functions

Test CI Status GitHub License

A suite of bash scripts for automating very basic OpenSSL Certificate Authority operations:

  • Creating Root CAs
  • Creating Intermediate Signing CAs
  • Creating Server certificates
  • Creating Client certificates
  • Creating Code Signing certificates
  • Revoking certificates and maintaining CRLs
  • Creating CSRs
  • Managing SSH keys

Usage

tl;dr

Scripts:

Name Description
create-client Create a client certificate
create-codesign Create a code signing certificate
create-root-ca Create a root signing CA
create-server Create a server certificate
create-signing-ca Create an intermediate signing CA inside a root CA
gen-html Create a shareable html directory structure for publishing the CA
revoke-cert Revoke a (client|server) certificate
show-status Show the infos about the current CA (signed certificates...)
sign-csr Sign an imported client certificate
create-csr Create a client certificate
update-crl Updates the CRL
list-expiring-certs List certificates that are about to expire

Important files:

Path Description
bin/ Script directory
ca/ca.crt CA certificate
ca/chain.pem CA chain certificate
certs/(client|server|codesign)/ Parent directory for signed certificates

Create a new Root CA

The create-root-ca script will initialize a new Root CA directory structure. This script can be run directly from the source repo or from within an existing Easy CA installation. The CA is self-contained within the specified directory tree. It is portable and can be stored on removable media for security.

create-root-ca -d $ROOT_CA_DIR

create-root-ca will prompt for the basic DN configuration to use as defaults for this CA. Optionally, you can edit defaults.conf to set this information in advance. The new CA is now ready for use. The CA certificate, key and CRL are available for review:

$ROOT_CA_DIR/ca/ca.crt
$ROOT_CA_DIR/ca/ca.pub
$ROOT_CA_DIR/ca/ca.ssh.pub
$ROOT_CA_DIR/ca/private/ca.key
$ROOT_CA_DIR/ca/ca.crl

(Optional) Create an Intermediate Signing CA

Running create-signing-ca from within a Root CA installation will initialize a new Intermediate CA directory structure, indepedent and separate from the Root CA. A Root CA may issue multiple Intermediate CAs.

$ROOT_CA_DIR/bin/create-signing-ca -d $SIGNING_CA_DIR

create-signing-ca will prompt for basic DN configuration, using the Root CA configuration as defaults. The Intermediate Signing CA is now ready for use. The CA key, certificate, chain file, and CRL are available for review as well as the root certificate and the chain bundle:

$SIGNING_CA_DIR/ca/ca.crt
$SIGNING_CA_DIR/ca/ca.pub
$SIGNING_CA_DIR/ca/ca.ssh.pub
$SIGNING_CA_DIR/ca/private/ca.key
$SIGNING_CA_DIR/ca/ca.crl
$SIGNING_CA_DIR/ca/root.crt
$SIGNING_CA_DIR/ca/chain.pem

Issue a Server Certificate

Running create-server from within any CA installation will issue a new server (serverAuth) certificate:

$CA_DIR/bin/create-server -s "FQDN Description" -a fqdn.domain.com -a www.fqdn.domain.com

All addresses must be supplied via the -a flag.

create-server will prompt for basic DN configuration, using the CA configuration as defaults. After the script is completed, the server certificate, key, and CSR are available for review in the directory $CA_DIR/certs/server/FQDN-Description/:

$CA_DIR/certs/server/FQDN-Description/FQDN-Description.crt
$CA_DIR/certs/server/FQDN-Description/FQDN-Description.key
$CA_DIR/certs/server/FQDN-Description/FQDN-Description.pub
$CA_DIR/certs/server/FQDN-Description/FQDN-Description.ssh.pub
$CA_DIR/certs/server/FQDN-Description/FQDN-Description.csr

Issue a Client Certificate

Running create-client from within any CA installation will issue a new client (clientAuth) certificate:

$CA_DIR/bin/create-client -c [email protected]

create-client will prompt for basic DN configuration, using the CA configuration as defaults. After the script is completed, the client certificate, key, CSR and p12 files are available for review in the directory $CA_DIR/certs/clients/user-domain-com/:

$CA_DIR/certs/clients/user-domain-com/user-domain-com.crt
$CA_DIR/certs/clients/user-domain-com/user-domain-com.key
$CA_DIR/certs/clients/user-domain-com/user-domain-com.p12
$CA_DIR/certs/clients/user-domain-com/user-domain-com.pub
$CA_DIR/certs/clients/user-domain-com/user-domain-com.ssh.pub
$CA_DIR/certs/clients/user-domain-com/user-domain-com.csr

Issue a Code Signing Certificate

Running create-codesign from within any CA installation will issue a new code signing certificate:

$CA_DIR/bin/create-codesign -c name

create-cocesign will prompt for basic DN configuration, using the CA configuration as defaults. After the script is completed, the code signing certificate, key, CSR and p12 files are available for review in the directory $CA_DIR/certs/codesign/name/:

$CA_DIR/certs/codesign/name/name.crt
$CA_DIR/certs/codesign/name/name.key
$CA_DIR/certs/codesign/name/name.p12
$CA_DIR/certs/codesign/name/name.pub
$CA_DIR/certs/codesign/name/name.csr

Revoke a Certificate

Running revoke-cert from within a CA installation allows you to revoke a certificate issued by that CA and update the CRL:

$CA_DIR/bin/revoke-cert -c $CA_DIR/certs/server/FQDN-Description/FQDN-Description.crt

revoke-cert will prompt for the revocation reason. After the script is completed, the server CRL is updated and available for review:

$CA_DIR/ca/ca.crl

Monitor certificates using a cron job

Running list-expiring-certs from within a CA installation will list all certificates that will expire within a set time. If you have cron jobs set up to email you on non-zero exits, a job like this would email you a list of certificates with two weeks left every weekday morning:

[email protected]
0 4 * * 1-5 $CA_DIR/bin/list-expiring-certs -c -t '2 weeks'

Caveats

These scripts are very simple, and make some hard-coded assumptions about behavior and configuration:

  • Root and Intermediate CAs have a 3652-day lifetime (configurable in templates/(root|signing).tpl)
  • Root and Intermediate CAs have 4096-bit RSA keys (configurable in defaults.conf)
  • Root and Intermediate CA keys are always encrypted
  • Only one level of Intermediate CA is supported
  • Client and Server certificates have a 730-day lifetime (configurable in templates/(server|client).tpl)
  • Client and Server certificates have 3072-bit RSA keys (configurable in defaults.conf)
  • Client and Server keys are not encrypted
  • There is no wrapper yet for renewing certificates
  • PKCS11 support is in beta

License

This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

About

OpenSSL wrapper scripts for managing basic CA functions

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Shell 83.2%
  • Smarty 16.8%