|
projects:asyd-ca 2006/01/08 20:45 |
projects:asyd-ca 2008/10/03 08:25 current |
| | | | |
| | This is a little perl script to manage a Certification Authority using | | This is a little perl script to manage a Certification Authority using |
| - | the openssl command. Though, unlike CA.[sh|pl] (from OpenSSL) it is very | + | the openssl command. Though, like CA.[sh|pl] (from OpenSSL) it is very |
| | simple to use, and it ask only few questions. It comes with few | | simple to use, and it ask only few questions. It comes with few |
| | templates files. One of these can be use to create wildcard certificates. | | templates files. One of these can be use to create wildcard certificates. |
| | + | |
| | + | Any suggestion, bug report, feature request (include template) are welcome. |
| | | | |
| | ===== Features ===== | | ===== Features ===== |
| | | | |
| | * Few requirements : Perl and Openssl | | * Few requirements : Perl and Openssl |
| - | * Manage index, serial and CRL | + | * Very easy to use, no OpenSSL knowledges required, but theirs are welcome |
| | + | * asyd-ca.pl doesn't require Openssl templates |
| | + | * Extend it via Openssl's templates files (require good OpenSSL knowledges) |
| | + | |
| | + | ===== Demo ===== |
| | + | |
| | + | ==== Configure CA informations ==== |
| | + | |
| | + | <code> |
| | + | # ls -1 |
| | + | asyd-ca.pl |
| | + | changes.log |
| | + | templates |
| | + | # vi templates/ca-req.cnf |
| | + | [..] |
| | + | emailAddress = asyd@asyd.net |
| | + | countryName = FR |
| | + | organizationName = asyd.net |
| | + | commonName = "asyd dot net CA" |
| | + | localityName = Paris |
| | + | </code> |
| | + | |
| | + | It's more or less the only file you need to edit. It's very easy, isn't it ? |
| | + | |
| | + | ==== Initialize Certification Autority ==== |
| | + | |
| | + | <code> |
| | + | # ./asyd-ca.pl init |
| | + | [openssl's output remove] |
| | + | # ls -1 |
| | + | asyd-ca.pl |
| | + | CA |
| | + | certs |
| | + | changes.log |
| | + | keys |
| | + | misc |
| | + | pkcs12 |
| | + | reqs |
| | + | templates |
| | + | </code> |
| | + | |
| | + | The content of each directory is explain below. |
| | + | |
| | + | ==== Create a certificate request ==== |
| | + | |
| | + | Note: You can edit the file //templates/simple.cnf//, especially the field with //_default// suffix. These values are the default one (but can be override) used by openssl while prompting |
| | + | for the certificat request informations. |
| | + | |
| | + | <code> |
| | + | # ./asyd-ca.pl req jboss |
| | + | [skip openssl useless output] |
| | + | Organization Name (required) [asyd.net]: |
| | + | Country Name (2 letter code, required) [FR]: |
| | + | Email Address (optional) [asyd@asyd.net]: |
| | + | Common Name (MUST match the DNS name) [www.asyd.net]:jboss.asyd.net |
| | + | Organizational Unit Name (optional) []: |
| | + | </code> |
| | + | |
| | + | As you can see, I use default value set in templates/simple.cnf, except |
| | + | for the common name, where I override the value with //jboss.asyd.net//. As you |
| | + | probably know, the field CN (CommonName) of a service certificate (e.g. https) |
| | + | **MUST** match the DNS name used to reach the service. |
| | + | |
| | + | ==== Sign a certificate request ==== |
| | + | |
| | + | <code> |
| | + | # ./asyd-ca.pl sign jboss |
| | + | [skip openssl useless output] |
| | + | Sign the certificate? [y/n]:y |
| | + | 1 out of 1 certificate requests certified, commit? [y/n]y |
| | + | </code> |
| | + | |
| | + | I'm now able to use the certificate, using file //certs/jboss.pem//. Though, |
| | + | in the special case of Jboss, I need a pkcs12 file, so I just do : |
| | + | |
| | + | <code> |
| | + | # ./asyd-ca.pl pkcs12 jboss |
| | + | Enter export password: |
| | + | Verifying - Enter export password: |
| | + | # ls -l pkcs12/jboss.p12 |
| | + | -rw-r----- 1 asyd asyd 2288 2006-01-09 20:50 pkcs12/jboss.p12 |
| | + | </code> |
| | + | |
| | + | Since a PKCS12 file include a key, a password is recommanded. |
| | + | |
| | + | ===== Docs ===== |
| | + | |
| | + | === Directories === |
| | + | |
| | + | ^ CA | Contains all files related to CA (the root certificat, and its related key) | |
| | + | ^ certs | Certs signed by the CA | |
| | + | ^ keys | Keys for certificates created with asyd-ca.pl | |
| | + | ^ misc/attic | Files removed with the subcommand | |
| | + | ^ misc/serial | The next serial available | |
| | + | ^ misc/index.txt | The CA database | |
| | + | ^ pkcs12 | PKCS12 files created with the pkcs12 subcommand | |
| | + | ^ reqs | Certificates requests files | |
| | + | |
| | + | === Subcommands === |
| | + | |
| | + | ^ init | Create the CA files and directories | |
| | + | ^ help | Display help message | |
| | + | ^ req | Create a certificate request | |
| | + | ^ sign | Sign a certificate request | |
| | + | ^ delete | Move all (req, key, cert) files for a certificate to attic | |
| | + | ^ pkcs12 | Creae a p12 file with a certificate, its key, and the CACert | |
| | + | ^ purge | Remove **ALL** files (except asyd-ca.pl and templates), very **dangerous** | |
| | | | |
| | ===== Download ===== | | ===== Download ===== |
| | | | |
| - | * Coming soon | + | ^ SVN | <code>svn co https://svn.asyd.net/svn/asyd-ca/releases/0.1/ SSL </code>| |
| | + | ^ Files | [[http://asyd.net/upstream/asyd-ca01.tar.gz|tar.gz]] | |
| | | | |
| | ===== Roadmap ===== | | ===== Roadmap ===== |
| | | | |
| | * Export cert (including CRL) to LDAP | | * Export cert (including CRL) to LDAP |
| | + | * Remove openssl output when useless |
| | + | |
| | + | ~~DISCUSSION~~ |
