asyd.net

Welcome to Bruno Bonfils's (aka asyd homepage).

Trace: » asyd-ca

Differences

This shows you the differences between the selected revision and the current version of the page.

--- projects:asyd-ca 2006/01/09 20:29
+++ projects:asyd-ca 2008/10/03 08:25 current
@@ Line 2: / Line 2: @@
 This is a little perl script to manage a Certification Authority using
-the openssl command. Though, unlike CA.[sh|pl] (from OpenSSL) it is very
+the openssl command. Though, like CA.[sh|pl] (from OpenSSL) it is very
 simple to use, and it ask only few questions. It comes with few
 templates files. One of these can be use to create wildcard certificates.
+Any suggestion, bug report, feature request (include template) are welcome.
 ===== Features =====
@@ Line 11: / Line 13: @@
    * Very easy to use, no OpenSSL knowledges required, but theirs are welcome
    * asyd-ca.pl doesn't require Openssl templates
+   * Extend it via Openssl's templates files (require good OpenSSL knowledges)
 ===== Demo =====
@@ Line 51: / Line 54: @@
 The content of each directory is explain below.
-==== Create a certificat ====
+==== Create a certificate request ====
-Note: You can edit the file //templates/simple.cnf//, especially the field with _default suffix. These values are the default one (but can be override) used by openssl prompting
+Note: You can edit the file //templates/simple.cnf//, especially the field with //_default// suffix. These values are the default one (but can be override) used by openssl while prompting
 for the certificat request informations.
+<code>
+# ./asyd-ca.pl req jboss
+[skip openssl useless output]
+Organization Name (required) [asyd.net]:
+Country Name (2 letter code, required) [FR]:
+Email Address (optional) [asyd@asyd.net]:
+Common Name (MUST match the DNS name) [www.asyd.net]:jboss.asyd.net
+Organizational Unit Name (optional) []:
+</code>
+As you can see, I use default value set in templates/simple.cnf, except
+for the common name, where I override the value with //jboss.asyd.net//. As you
+probably know, the field CN (CommonName) of a service certificate (e.g. https)
+**MUST** match the DNS name used to reach the service.
+==== Sign a certificate request ====
+<code>
+# ./asyd-ca.pl sign jboss
+[skip openssl useless output]
+Sign the certificate? [y/n]:y
+out of 1 certificate requests certified, commit? [y/n]y
+</code>
+I'm now able to use the certificate, using file //certs/jboss.pem//. Though,
+in the special case of Jboss, I need a pkcs12 file, so I just do :
+<code>
+# ./asyd-ca.pl pkcs12 jboss
+Enter export password:
+Verifying - Enter export password:
+# ls -l pkcs12/jboss.p12
+-rw-r----- 1 asyd asyd 2288 2006-01-09 20:50 pkcs12/jboss.p12
+</code>
+Since a PKCS12 file include a key, a password is recommanded.
 ===== Docs =====
@@ Line 61: / Line 100: @@
 === Directories ===
-^ CA | Contains all files related to CA (the root certificat, and its related key)
+^ CA | Contains all files related to CA (the root certificat, and its related key) |
 ^ certs | Certs signed by the CA |
 ^ keys | Keys for certificates created with asyd-ca.pl |
@@ Line 71: / Line 110: @@
 === Subcommands ===
+^ init | Create the CA files and directories |
+^ help | Display help message |
+^ req | Create a certificate request |
+^ sign | Sign a certificate request |
+^ delete | Move all (req, key, cert) files for a certificate to attic |
+^ pkcs12 | Creae a p12 file with a certificate, its key, and the CACert |
+^ purge | Remove **ALL** files (except asyd-ca.pl and templates), very **dangerous** |
 ===== Download =====
-   * Coming soon
+^ SVN | <code>svn co https://svn.asyd.net/svn/asyd-ca/releases/0.1/ SSL </code>|
+^ Files | [[http://asyd.net/upstream/asyd-ca01.tar.gz|tar.gz]] |
 ===== Roadmap =====
@@ Line 80: / Line 128: @@
    * Export cert (including CRL) to LDAP
    * Remove openssl output when useless
+~~DISCUSSION~~