This is a little perl script to manage a Certification Authority using the openssl command. Though, like CA.[sh|pl] (from OpenSSL) it is very simple to use, and it ask only few questions. It comes with few templates files. One of these can be use to create wildcard certificates.
Any suggestion, bug report, feature request (include template) are welcome.
# ls -1 asyd-ca.pl changes.log templates # vi templates/ca-req.cnf [..] emailAddress = asyd@asyd.net countryName = FR organizationName = asyd.net commonName = "asyd dot net CA" localityName = Paris
It's more or less the only file you need to edit. It's very easy, isn't it ?
# ./asyd-ca.pl init [openssl's output remove] # ls -1 asyd-ca.pl CA certs changes.log keys misc pkcs12 reqs templates
The content of each directory is explain below.
Note: You can edit the file templates/simple.cnf, especially the field with _default suffix. These values are the default one (but can be override) used by openssl while prompting for the certificat request informations.
# ./asyd-ca.pl req jboss [skip openssl useless output] Organization Name (required) [asyd.net]: Country Name (2 letter code, required) [FR]: Email Address (optional) [asyd@asyd.net]: Common Name (MUST match the DNS name) [www.asyd.net]:jboss.asyd.net Organizational Unit Name (optional) []:
As you can see, I use default value set in templates/simple.cnf, except for the common name, where I override the value with jboss.asyd.net. As you probably know, the field CN (CommonName) of a service certificate (e.g. https) MUST match the DNS name used to reach the service.
# ./asyd-ca.pl sign jboss [skip openssl useless output] Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y
I'm now able to use the certificate, using file certs/jboss.pem. Though, in the special case of Jboss, I need a pkcs12 file, so I just do :
# ./asyd-ca.pl pkcs12 jboss Enter export password: Verifying - Enter export password: # ls -l pkcs12/jboss.p12 -rw-r----- 1 asyd asyd 2288 2006-01-09 20:50 pkcs12/jboss.p12
Since a PKCS12 file include a key, a password is recommanded.
| CA | Contains all files related to CA (the root certificat, and its related key) |
|---|---|
| certs | Certs signed by the CA |
| keys | Keys for certificates created with asyd-ca.pl |
| misc/attic | Files removed with the subcommand |
| misc/serial | The next serial available |
| misc/index.txt | The CA database |
| pkcs12 | PKCS12 files created with the pkcs12 subcommand |
| reqs | Certificates requests files |
| init | Create the CA files and directories |
|---|---|
| help | Display help message |
| req | Create a certificate request |
| sign | Sign a certificate request |
| delete | Move all (req, key, cert) files for a certificate to attic |
| pkcs12 | Creae a p12 file with a certificate, its key, and the CACert |
| purge | Remove ALL files (except asyd-ca.pl and templates), very dangerous |
| SVN | svn co https://svn.asyd.net/svn/asyd-ca/releases/0.1/ SSL |
|---|---|
| Files | tar.gz |