====== asyd-ca.pl ======
This is a little perl script to manage a Certification Authority using
the openssl command. Though, like CA.[sh|pl] (from OpenSSL) it is very
simple to use, and it ask only few questions. It comes with few
templates files. One of these can be use to create wildcard certificates.
Any suggestion, bug report, feature request (include template) are welcome.
===== Features =====
* Few requirements : Perl and Openssl
* Very easy to use, no OpenSSL knowledges required, but theirs are welcome
* asyd-ca.pl doesn't require Openssl templates
* Extend it via Openssl's templates files (require good OpenSSL knowledges)
===== Demo =====
==== Configure CA informations ====
# ls -1
asyd-ca.pl
changes.log
templates
# vi templates/ca-req.cnf
[..]
emailAddress = asyd@asyd.net
countryName = FR
organizationName = asyd.net
commonName = "asyd dot net CA"
localityName = Paris
It's more or less the only file you need to edit. It's very easy, isn't it ?
==== Initialize Certification Autority ====
# ./asyd-ca.pl init
[openssl's output remove]
# ls -1
asyd-ca.pl
CA
certs
changes.log
keys
misc
pkcs12
reqs
templates
The content of each directory is explain below.
==== Create a certificate request ====
Note: You can edit the file //templates/simple.cnf//, especially the field with //_default// suffix. These values are the default one (but can be override) used by openssl while prompting
for the certificat request informations.
# ./asyd-ca.pl req jboss
[skip openssl useless output]
Organization Name (required) [asyd.net]:
Country Name (2 letter code, required) [FR]:
Email Address (optional) [asyd@asyd.net]:
Common Name (MUST match the DNS name) [www.asyd.net]:jboss.asyd.net
Organizational Unit Name (optional) []:
As you can see, I use default value set in templates/simple.cnf, except
for the common name, where I override the value with //jboss.asyd.net//. As you
probably know, the field CN (CommonName) of a service certificate (e.g. https)
**MUST** match the DNS name used to reach the service.
==== Sign a certificate request ====
# ./asyd-ca.pl sign jboss
[skip openssl useless output]
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
I'm now able to use the certificate, using file //certs/jboss.pem//. Though,
in the special case of Jboss, I need a pkcs12 file, so I just do :
# ./asyd-ca.pl pkcs12 jboss
Enter export password:
Verifying - Enter export password:
# ls -l pkcs12/jboss.p12
-rw-r----- 1 asyd asyd 2288 2006-01-09 20:50 pkcs12/jboss.p12
Since a PKCS12 file include a key, a password is recommanded.
===== Docs =====
=== Directories ===
^ CA | Contains all files related to CA (the root certificat, and its related key) |
^ certs | Certs signed by the CA |
^ keys | Keys for certificates created with asyd-ca.pl |
^ misc/attic | Files removed with the subcommand |
^ misc/serial | The next serial available |
^ misc/index.txt | The CA database |
^ pkcs12 | PKCS12 files created with the pkcs12 subcommand |
^ reqs | Certificates requests files |
=== Subcommands ===
^ init | Create the CA files and directories |
^ help | Display help message |
^ req | Create a certificate request |
^ sign | Sign a certificate request |
^ delete | Move all (req, key, cert) files for a certificate to attic |
^ pkcs12 | Creae a p12 file with a certificate, its key, and the CACert |
^ purge | Remove **ALL** files (except asyd-ca.pl and templates), very **dangerous** |
===== Download =====
^ SVN | svn co https://svn.asyd.net/svn/asyd-ca/releases/0.1/ SSL
|
^ Files | [[http://asyd.net/upstream/asyd-ca01.tar.gz|tar.gz]] |
===== Roadmap =====
* Export cert (including CRL) to LDAP
* Remove openssl output when useless
~~DISCUSSION~~