{"id":17527038,"url":"https://github.com/openxpki/clca","last_synced_at":"2026-01-22T20:16:26.465Z","repository":{"id":10035975,"uuid":"12079967","full_name":"openxpki/clca","owner":"openxpki","description":"Command line CA, including bootable Root CA medium and Secret Sharing","archived":false,"fork":false,"pushed_at":"2026-01-10T11:31:29.000Z","size":247,"stargazers_count":40,"open_issues_count":2,"forks_count":19,"subscribers_count":7,"default_branch":"master","last_synced_at":"2026-01-11T03:36:36.086Z","etag":null,"topics":["bootable","command-line","offline-root","pki","root-ca","secret-sharing"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/openxpki.png","metadata":{"files":{"readme":"README.keyceremony-shared-interactive.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2013-08-13T11:10:07.000Z","updated_at":"2026-01-10T11:31:28.000Z","dependencies_parsed_at":"2024-02-28T15:02:42.740Z","dependency_job_id":null,"html_url":"https://github.com/openxpki/clca","commit_stats":null,"previous_names":[],"tags_count":21,"template":false,"template_full_name":null,"purl":"pkg:github/openxpki/clca","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openxpki%2Fclca","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openxpki%2Fclca/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openxpki%2Fclca/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openxpki%2Fclca/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/openxpki","download_url":"https://codeload.github.com/openxpki/clca/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openxpki%2Fclca/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28670366,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-22T19:36:09.361Z","status":"ssl_error","status_checked_at":"2026-01-22T19:36:05.567Z","response_time":144,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bootable","command-line","offline-root","pki","root-ca","secret-sharing"],"created_at":"2024-10-20T15:03:00.502Z","updated_at":"2026-01-22T20:16:26.459Z","avatar_url":"https://github.com/openxpki.png","language":"Shell","readme":"# Interactive Secret Sharing CA runbook example\nThis is an example runbook for an interactive key ceremony using Secret Sharing.\n\n2013-12-16 Martin Bartosch\n\n# Creation of a secret share set and CA initialization\n\nAssumptions:\n3072 Bit RSA key protected by a 128 Bit random pass phrase.\nThe pass phrase is split into 5 shares, of which 3 will be needed to perform CA operations.\n\n\n\n```\n1. Preparation of CLCA configuration\n\nexport K=3\nexport N=5\nrm -rf dummyca/\nmkdir -p dummyca/etc\nmkdir -p dummyca/private/\nchmod 700 dummyca/private/\ncp etc/clca.cfg dummyca/etc/\ncp etc/openssl.cnf dummyca/etc/\n\ncat \u003c\u003cEOF \u003e\u003edummyca/etc/clca.cfg\nget_passphrase() {\n   eval \\`../bin/secret get --n $N --k $K\\`\n   echo \\$PASSPHRASE\n}\nEOF\n\n2. Generate CA key and perform secret sharing.\n\nRequired: you need N=5 persons for safekeeping of the CA shares.\n\neval `./bin/secret generate  --n $N --k $K` openssl genrsa -aes256 -passout env:PASSPHRASE -out dummyca/private/rsa-rootkey 3072\n\nEach share holder must copy the displayed share literally and keep it.\n\n3. Create the CA certificate\n\ncd dummyca\n../bin/clca initialize\n\n4. Create initial CRL\n\n../bin/clca issuecrl\n\n5. Sign certificate\n\n../bin/clca certify --profile foo REQUEST\n\n\n```\n\n\n\n## Replacing a secret share set\n\nIf a share gets lost or if the existing quorum should be changed to a different one, it is possible to recreate the secret share set with a completely different secret share set, replacing the old share set.\n\nThis is done be decrypting the private key with the old quorum and re-encrypting the key with a newly created quorum, thus also changing the underlying passphrase.\n\nPlease note that the old private key file with the old share set will still be sufficient to unlock the private key, so make sure to destroy the old set and key once it has been verified that the new share set works.\n\nThe following procedure (also available as bin/change-quorum.sh) can be applied to perform this task.\n\nPlease note that you need to edit the script to adapt old and new quorum parameters. The script will fail if these parameters are not correct.\n\n```bash\n#!/bin/bash -e\n#\n# 2019-12 Martin Bartosch\n# This script can assist CA Administrators in recreating a secret sharing\n# quorum.\n\n# specify old (existing) quorum\nK_OLD=3\nN_OLD=5\n\n# new quorum, default: identical to old quorum\nK_NEW=$K_OLD\nN_NEW=$N_OLD\n\nKEY_OLD=\"$1\"\nKEY_NEW=\"$2\"\n\nif [ -z \"$KEY_NEW\" ] ; then\ncat \u003c\u003cEOF\nUsage:\n$0 OLD_KEY_FILE NEW_KEY_FILE\n\nThis script will recreate a share set and write a copy of the existing\nprivate key KEY_OLD_FILE to the file KEY_NEW_FILE.\nThe script will not overwrite KEY_NEW_FILE if the file already exists.\nThe private key in KEY_NEW_FILE will be identical to KEY_OLD_FILE but it will\nbe encrypted with a different random passphrase determined by the new\nquorum.\nAfter verifying that KEY_NEW_FILE can be used with the newly created quorum\nit can be used instead of KEY_OLD_FILE.\n\nAssumptions:\n- the existing quorum and the new quorum are defined in this script\n  (edit below settings to reflect the actual setup)\n- the existing private key is protected with the old quorum\n\nEOF\nexit 0\nfi\n\n# assert that secret is in $PATH\ntype secret\ntype openssl\n\nif [ ! -r \"$KEY_OLD\" ] ; then\n    echo \"Old key $KEY_OLD not readable.\"\n    exit 1\nfi\nif [ -e \"$KEY_NEW\" ] ; then\n    echo \"New key $KEY_NEW already exists, refusing to overwrite.\"\n    exit 1\nfi\n\n\necho \"Recreating secret key sharing quorum\"\necho \"Old quorum:\"\necho \"k = $K_OLD\"\necho \"n = $N_OLD\"\necho \"New quorum:\"\necho \"k = $K_NEW\"\necho \"n = $N_NEW\"\n\necho\necho \"Unlocking old $K_OLD/$N_OLD quorum (press RETURN)\"\nread\n\nexport PASSPHRASE=\"\"\neval `secret get --k $K_OLD --n $N_OLD`\n\nif [ $? != 0 ] ; then\n    echo \"Error unlocking old quorum.\"\n    exit 1\nfi\n\nif [ -z \"$PASSPHRASE\" ] ; then\n    echo \"Could not unlock old quorum.\"\n    exit 1\nfi\n\nexport PASSPHRASE_OLD=\"$PASSPHRASE\"\n\nclear\necho\necho \"Creating new $K_NEW/$N_NEW quorum (press RETURN)\"\nread\n\neval `secret generate --k $K_NEW --n $N_NEW`\n\nopenssl pkey -in $KEY_OLD -out $KEY_NEW -passin env:PASSPHRASE_OLD -passout env:PASSPHRASE\n\nif [ $? != 0 ] ; then\n    echo \"Error: could not re-encrypt private key\"\n    exit 1\nfi\n\n\n\n```\n\n\n\n","funding_links":[],"categories":["Shell"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenxpki%2Fclca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopenxpki%2Fclca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenxpki%2Fclca/lists"}