Home Contact Download

asyd.net

Welcome to Bruno Bonfils's (aka asyd homepage).
Trace: » asyd-ca

asyd-ca.pl

This is a little perl script to manage a Certification Authority using the openssl command. Though, like CA.[sh|pl] (from OpenSSL) it is very simple to use, and it ask only few questions. It comes with few templates files. One of these can be use to create wildcard certificates.

Any suggestion, bug report, feature request (include template) are welcome.

Features

  • Few requirements : Perl and Openssl
  • Very easy to use, no OpenSSL knowledges required, but theirs are welcome
  • asyd-ca.pl doesn't require Openssl templates
  • Extend it via Openssl's templates files (require good OpenSSL knowledges)

Demo

Configure CA informations

# ls -1
asyd-ca.pl
changes.log
templates
# vi templates/ca-req.cnf
[..]
emailAddress     = asyd@asyd.net
countryName      = FR
organizationName = asyd.net
commonName       = "asyd dot net CA"
localityName     = Paris

It's more or less the only file you need to edit. It's very easy, isn't it ?

Initialize Certification Autority

# ./asyd-ca.pl init
[openssl's output remove]
# ls -1
asyd-ca.pl
CA
certs
changes.log
keys
misc
pkcs12
reqs
templates

The content of each directory is explain below.

Create a certificate request

Note: You can edit the file templates/simple.cnf, especially the field with _default suffix. These values are the default one (but can be override) used by openssl while prompting for the certificat request informations. 

# ./asyd-ca.pl req jboss
[skip openssl useless output]
Organization Name (required) [asyd.net]:
Country Name (2 letter code, required) [FR]:
Email Address (optional) [asyd@asyd.net]:
Common Name (MUST match the DNS name) [www.asyd.net]:jboss.asyd.net
Organizational Unit Name (optional) []:

As you can see, I use default value set in templates/simple.cnf, except for the common name, where I override the value with jboss.asyd.net. As you probably know, the field CN (CommonName) of a service certificate (e.g. https) MUST match the DNS name used to reach the service.

Sign a certificate request

# ./asyd-ca.pl sign jboss
[skip openssl useless output]
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

I'm now able to use the certificate, using file certs/jboss.pem. Though, in the special case of Jboss, I need a pkcs12 file, so I just do : 

# ./asyd-ca.pl pkcs12 jboss
Enter export password: 
Verifying - Enter export password:
# ls -l pkcs12/jboss.p12
-rw-r----- 1 asyd asyd 2288 2006-01-09 20:50 pkcs12/jboss.p12

Since a PKCS12 file include a key, a password is recommanded.

Docs

Directories

CA Contains all files related to CA (the root certificat, and its related key)
certs Certs signed by the CA
keys Keys for certificates created with asyd-ca.pl
misc/attic Files removed with the subcommand
misc/serial The next serial available
misc/index.txt The CA database
pkcs12 PKCS12 files created with the pkcs12 subcommand
reqs Certificates requests files

Subcommands

init Create the CA files and directories
help Display help message
req Create a certificate request
sign Sign a certificate request
delete Move all (req, key, cert) files for a certificate to attic
pkcs12 Creae a p12 file with a certificate, its key, and the CACert
purge Remove ALL files (except asyd-ca.pl and templates), very dangerous

Download

SVN 
svn co https://svn.asyd.net/svn/asyd-ca/releases/0.1/ SSL
Files tar.gz

Roadmap

  • Export cert (including CRL) to LDAP
  • Remove openssl output when useless

Discussion