{"id":20704178,"url":"https://github.com/solidsnack/cadir","last_synced_at":"2025-06-11T03:33:30.998Z","repository":{"id":1268473,"uuid":"1207557","full_name":"solidsnack/CAdir","owner":"solidsnack","description":"CA management utility.","archived":false,"fork":false,"pushed_at":"2015-06-05T00:25:21.000Z","size":147,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-06-07T22:44:08.560Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/solidsnack.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2010-12-30T02:48:10.000Z","updated_at":"2015-06-05T00:25:22.000Z","dependencies_parsed_at":"2022-08-16T12:50:31.717Z","dependency_job_id":null,"html_url":"https://github.com/solidsnack/CAdir","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solidsnack%2FCAdir","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solidsnack%2FCAdir/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solidsnack%2FCAdir/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solidsnack%2FCAdir/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/solidsnack","download_url":"https://codeload.github.com/solidsnack/CAdir/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solidsnack%2FCAdir/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259191971,"owners_count":22819409,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-17T01:11:17.532Z","updated_at":"2025-06-11T03:33:30.980Z","avatar_url":"https://github.com/solidsnack.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n  CAdir is a script for managing an x509 Certificate Authority, offering\n  request signing and queries of the CA.\n\n  CAdir receives the request or query parameters on standard in, locks the CA\n  with a POSIX lock and performs the requested action. One use case for CAdir\n  is as an SSH forced command, allowing nodes in a cluster of computers to\n  concurrently make authenticated requests of the CA.\n\n\n                                                              Command Language\n   ----------------------------------------------------------------------------\n\n    \u003crequest\u003e     = sign\u003cnl\u003e\u003crequest bytes\u003e   # Sign the request.\n                  | crt                       # Get the CA cert.\n                  | crl                       # Obtain an up to date CRL.\n\n\n                                Creating A Certificate Authority \u0026 Using CAdir\n   ----------------------------------------------------------------------------\n\n    To create a certificate authority with OpenSSL is easy, if hard to uncover:\n\n      openssl req -new -newkey rsa:2048 -x509 -days 1095 \\\n                  -keyout ca.key -out ca.crt \\\n                  -subj '/CN=example.com/O=ECom/C=US/ST=Oregon/L=Portland'\n\n    It will ask you to enter a password for your key; this is a good\n    practice. When you deploy CAdir, unencrypt your key:\n\n      openssl rsa \u003c ./ca.key \u003e ./ca.plain.key\n\n    CAdir will prefer a file called `ca.plain.key' if it exists. Otherwise, it\n    uses `ca.key'. Now create a new private key and certificate signing\n    request:\n\n      openssl req -new -newkey rsa:2048 -nodes -keyout mail.key -out mail.csr \\\n                  -subj '/CN=mail.example.com/O=ECom/C=US/ST=Oregon/L=Portland'\n\n    Here, you are creating a key for your mail server. The `nodes' option\n    causes OpenSSL to skip asking you to encrypt the key (probably okay for\n    your mail server).\n\n    Let's sign the certificate signing request to get a signed cert:\n\n      (echo -n 'sign :' ; cat ./mail.csr) | CAdir ./ | sed 1d \u003e ./mail.crt\n\n    (We strip off the first line with Sed because that is CAdir's status\n    message.) Look upon your cert, marvel at its beauty:\n\n      openssl x509 -text \u003c ./mail.crt\n\n    CAdir has a bunch of things to say, which it will put on STDOUT. Much of\n    this info is placed in ./CAdir/log, as well. CAdir has an option to log to\n    syslog, too.\n\n\n                                          Using CAdir As An SSH Forced Command\n   ----------------------------------------------------------------------------\n\n    The CAdir command is meant to be used as an SSH forced command. It\n    carefully handles both input and output to prevent the underlying system\n    from being compromised.\n\n    Here is an example of an authorized_keys file with CAdir as a forced\n    command for one of the keys:\n\n      ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAorDE3jQONw+sixlnuJ3d2qlqi0KLUyPohT86ZOBKtJPeRQ082/DJ1qSVI1c/hnPEIU7ymbKcOWT5fP1kaBRv4jOKzQYwZb083rBr5kv50F3HgOnTWs/9Z1b80+Bn69N/BcQmwTlgKBv3FQ+8vjtJ1Q1X3++pgUBRm5aD3JyCcLGPVJHPlLTbXEoYGJUBxZb58pw+PbH+FyakaRN8xTSrOg1BygvQpFrBIVRlyFgtPKBOruWYTv05M645q6/MTmfeBlQYFzTJz8yqub6EWy2dHlQjMkQgO+3sbgBCe3J+ikm4RoVGO5CXnXLQXtyKzbMnumapjwx7TaaegUDZIDSvyw== jason\n\n      command=\"~/CAdir/bin/CAdir ~/ca --syslog\" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqAFL/UT+YhKObrXpMQM2BbS7LmCLXBcE9UrgLFuDNAGltnRxB17lCyXtJJivqV5pZApUHNL8XC21d7sy+I5oUgxwpwgL53foEB2G8BLlzEPGcBA47lpeMiW2OrfXsuUDk8oBlV5/3SNQ2rhEUVWzXEk0mHPtRe99HYEsGK4F3mgpEiuenf20qYiEkhLGDJB2u5N8aTuoI7vIklxejMXXJRSUvg9xbCnLSsDkFvElLS7cmhAu1zAwf03tZia5pC+ZRIHMQP5tihhqOzuLW1fENmq3v39hAFVVu7FRHcztm3v8iON56If6GZIFx3WH18OPBdrySfTl8fAmNz9o/HCBaQ== ca-connector\n\n    You can distribute the private part of the key pair wherever you like and\n    (crosses fingers) the holder can sign certs but can not access the CA's\n    private key directly.\n\n\n                                                                   CAdir.admin\n   ----------------------------------------------------------------------------\n\n    An example: setup a certificate authority, sign a CSR, revoke the cert\n    and fetch the CRL.\n\n      CAdir.admin setup ./foo\n      (echo sign ; cat mail.csr) | CAdir ./foo | sed 1d \u003e mail.crt\n      CAdir.admin revoke cn=mail.example.com ./foo\n      echo csr | CAdir ./foo | sed 1d \u003e example.crl\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolidsnack%2Fcadir","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsolidsnack%2Fcadir","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolidsnack%2Fcadir/lists"}