{"id":13474559,"url":"https://github.com/steccas/stecCA","last_synced_at":"2025-03-26T21:31:51.887Z","repository":{"id":46034351,"uuid":"360560253","full_name":"steccas/stecCA","owner":"steccas","description":"An easy to deploy Certificate Authority / Public Key Infrastructure using CFSSL, Lemur and Docker magic!","archived":false,"fork":false,"pushed_at":"2023-05-09T02:17:22.000Z","size":5165,"stargazers_count":147,"open_issues_count":3,"forks_count":15,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-10-30T07:48:21.132Z","etag":null,"topics":["certificate-authority","certificates","cfssl","cloudflare","deploy","docker","docker-compose","easy","lemur","netflix","oscp","oscp-responder","pki","security","server","signing","ssl","ssl-certificates","tls","tls-certificate"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/steccas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null},"funding":{"github":["Steccas"],"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":["https://www.buymeacoffee.com/steccas"]}},"created_at":"2021-04-22T15:06:35.000Z","updated_at":"2024-10-26T06:03:18.000Z","dependencies_parsed_at":"2022-09-14T11:12:58.194Z","dependency_job_id":"4ad38ccf-9b33-43b1-b022-557e38f0e6e2","html_url":"https://github.com/steccas/stecCA","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steccas%2FstecCA","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steccas%2FstecCA/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steccas%2FstecCA/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steccas%2FstecCA/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/steccas","download_url":"https://codeload.github.com/steccas/stecCA/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245738754,"owners_count":20664336,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate-authority","certificates","cfssl","cloudflare","deploy","docker","docker-compose","easy","lemur","netflix","oscp","oscp-responder","pki","security","server","signing","ssl","ssl-certificates","tls","tls-certificate"],"created_at":"2024-07-31T16:01:13.167Z","updated_at":"2025-03-26T21:31:48.745Z","avatar_url":"https://github.com/steccas.png","language":"Shell","funding_links":["https://github.com/sponsors/Steccas","https://www.buymeacoffee.com/steccas"],"categories":["Shell"],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003e\n  \u003cbr\u003e\n  \u003ca href=\"https://github.com/Steccas/stecCA\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/Steccas/stecCA/main/img/logo.png\" alt=\"StecCA\" width=\"256\"\u003e\u003c/a\u003e\n  \u003cbr\u003e\n    StecCA\n  \u003cbr\u003e\n\u003c/h1\u003e\n\n\u003ch4 align=\"center\"\u003eAn easy to deploy Certificate Authority using \u003ca href=\"https://github.com/cloudflare/cfssl\" target=\"_blank\"\u003eCFSSL\u003c/a\u003e, \u003ca href=\"https://github.com/Netflix/lemur\" target=\"_blank\"\u003eLemur\u003c/a\u003e and \u003ca href=\"https://www.docker.com/\" target=\"_blank\"\u003eDocker\u003c/a\u003e magic!\u003c/h4\u003e\n\n\u003cbr\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/Steccas/stecCA/graphs/contributors\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/contributors/Steccas/stecCA.svg?style=for-the-badge\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/Steccas/stecCA/network/members\"\u003e\u003cimg src=\"https://img.shields.io/github/forks/Steccas/stecCA.svg?style=for-the-badge\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/Steccas/stecCA/issues\"\u003e\n      \u003cimg src=\"https://img.shields.io/github/issues/Steccas/stecCA.svg?style=for-the-badge\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/Steccas/stecCA/issues\"\u003e\n      \u003cimg src=\"https://img.shields.io/github/issues-closed/Steccas/stecCA.svg?style=for-the-badge\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/Steccas/stecCA/stargazers\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/stars/Steccas/stecCA.svg?style=for-the-badge\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/Steccas/stecCA/blob/main/LICENSE\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/license/Steccas/stecCA.svg?style=for-the-badge\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://GitHub.com/Steccas/stecCA/pull\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/issues-pr/Steccas/stecCA.svg?style=for-the-badge\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://GitHub.com/Steccas/stecCA/pull\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/issues-pr-closed/Steccas/stecCA.svg?style=for-the-badge\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://GitHub.com/Steccas/stecCA/commit\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/last-commit/Steccas/stecCA.svg?style=for-the-badge\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://GitHub.com/Steccas/stecCA\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/repo-size/Steccas/stecCA.svg?style=for-the-badge\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://linkedin.com/in/lucasteccanella\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/-LinkedIn-black.svg?style=for-the-badge\u0026logo=linkedin\u0026colorB=555\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://www.buymeacoffee.com/steccas\" target=\"_blank\"\u003e\n    \u003cimg src=\"https://cdn.buymeacoffee.com/buttons/lato-yellow.png\" alt=\"Buy Me A Coffee\" height=\"27.8\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#about-the-project\"\u003eAbout\u003c/a\u003e •\n  \u003ca href=\"#built-whit\"\u003eTechnologies\u003c/a\u003e •\n  \u003ca href=\"#key-features\"\u003eKey Features\u003c/a\u003e •\n  \u003ca href=\"#getting-started\"\u003eHow To Use\u003c/a\u003e •\n  \u003ca href=\"#contributing\"\u003eContributing\u003c/a\u003e •\n  \u003ca href=\"#support\"\u003eSupport\u003c/a\u003e •\n  \u003ca href=\"#license\"\u003eLicense\u003c/a\u003e\n\u003c/p\u003e\n\n\n\u003c!-- ABOUT THE PROJECT --\u003e\n## About The Project\n\nI needed to manage certificates for my home lab, I'm self-hosting some services and of course, I wanted a full working SSL without errors.\n\nIn these situations, a Certificate Authority is needed, but using OpenSSL just from the terminal resulted unpractically and not ideal for managing the various certificates; so I decided to deploy a better system to do these tasks.\n\nSo I came across Lemur and CFSSL... I choose CFSSL because it has a very easy to use CLI, offers an OSCP responder and it is integrable with Lemur; Lemur is a platform that offers a web interface and SQL Database for managing the certificates, this way issuing, revoking, and keep track of them would be much more efficient to do.\n\nAnyways, there were no products that integrated all of these technologies so using some guides and my expertise I've set up them together using docker and some scripts to have everything as clean as possible and very easy to redeploy.\n\nNow I'm publishing it to GitHub because it could be really useful for a lot of people! I'd also like to further improve the projects making the integration better and adding even more functionalities for various use cases.\n\n*Need to quickly set up your CA in a matter of minutes? It is not a problem anymore!*\n\n## Built with\n\nThis project uses the following technologies:\n\n\u003ca href=\"https://github.com/cloudflare/cfssl\"\u003e\n  \u003cimg alt=\"CFSSL\" src=\"https://img.shields.io/badge/CFSSL-f48120.svg?\u0026style=for-the-badge\u0026logo=cloudflare\u0026logoColor=white\"/\u003e\n\u003c/a\u003e\n\u003ca href=\"https://github.com/Netflix/lemur\"\u003e\n  \u003cimg alt=\"Lemur\" src=\"https://img.shields.io/badge/lemur-%23CC0000.svg?\u0026style=for-the-badge\u0026logo=netflix\u0026logoColor=white\"/\u003e\n\u003c/a\u003e\n\u003ca href=\"https://www.docker.com/\"\u003e\n  \u003cimg alt=\"Docker\" src=\"https://img.shields.io/badge/docker-%230db7ed.svg?\u0026style=for-the-badge\u0026logo=docker\u0026logoColor=white\"/\u003e\n\u003c/a\u003e\n\u003ca href=\"https://www.gnu.org/software/bash/\"\u003e\n  \u003cimg alt=\"Bash\" src=\"https://img.shields.io/badge/bash-%23121011.svg?\u0026style=for-the-badge\u0026logo=gnu-bash\u0026logoColor=white\"/\u003e\n\u003c/a\u003e\n\u003ca href=\"https://www.postgresql.org/\"\u003e\n  \u003cimg alt=\"PostgreSQL\" src=\"https://img.shields.io/badge/postgres-%23316192.svg?\u0026style=for-the-badge\u0026logo=postgresql\u0026logoColor=white\"/\u003e\n\u003c/a\u003e\n\u003ca href=\"https://www.nginx.com/\"\u003e\n  \u003cimg alt=\"NGINX\" src=\"https://img.shields.io/badge/nginx-%23009639.svg?\u0026style=for-the-badge\u0026logo=nginx\u0026logoColor=white\"/\u003e\n\u003c/a\u003e\n\nCFSSL acts as the core engine for SSL, being called upon the generation of CA and certificates while Lemur offers an integrated system with a web interface to make the management very very easy.\n\nEverything is stored thanks to the PostgreSQL DB.\n\nThe deployment is done with docker and some bash scripting, it makes data persistence and deployment really fast and repeatable.\n\n\u003c!-- \n* [CFSSL](https://github.com/cloudflare/cfssl)\n* [Lemur](https://github.com/Netflix/lemur)\n* [Docker](https://www.docker.com/)\n* [Bash](https://www.gnu.org/software/bash/)\n--\u003e\n\n## Key Features\n\n* Easy and fast deploy!\n  - Thanks to docker and bash scripting deploying a fully working CA doesn't take hours anymore!\n* Root CA and Intermediary CA\n  - Root CA is not directly exposed, an Intermediate CA (signed by root) will be signing the user created certificates.\n* Web Interface\n  - Lemur provides an easy-to-use web interface to issue, manage and revoke certificates.\n* Automation\n  - Lemur provides various automated checks on certificates, some have already been enabled but many many more can be enabled depending on your needs.\n* Persistence\n  - The integration with PostgreSQL of both CSSL and Lemur allows to easily manage and make persistent all the data needed.\n* OSCP Responder\n  - CFSSL's OSCP responder has been set up, including automatic updates.\n    (I'm Not sure if it is already working as I configured it, so any help is really appreciated)\n\n\u003c!-- GETTING STARTED --\u003e\n## Getting Started\n\nGetting the CA up and running is fairly easy if you pay attention in following these little steps, the guide and the scripts are assuming that you are using a Debian based Linux distro (including Ubuntu Server or Raspbian) but support for other distro is very feasible because only the 'apt' commands need to be changed.\n\n**If on debian, pay attention during the passage in wich the scripts imports the golang ppa**\n\nWindows is a nono, but maybe adapting the setup scripts will make it doable.\n\n### Prerequisites\n\nAs a prerequisite, you should just need an up and running Docker and Docker Compose installation. This will not be done by the script.\n\n_Please refer to the [Docker install guide](https://docs.docker.com/engine/install/) and [Docker-Compose install guide](https://docs.docker.com/compose/install/) to complete this passage_\n\nIt is very quick and easy, don't worry.\n\nYou need a working firewall, i suggest to\n* Install UFW\n  ```sh\n  sudo apt update\n  sudo apt install ufw\n  ```\nOtherwise, you need to edit lines 69 and 70 of [setup_cfssl.sh](https://github.com/Steccas/stecCA/blob/main/setup_cfssl.sh) to obtain the same firewall rules, this is very important or otherwise, the ROOT CA will be exposed in the network! (CFSSL Auth cannot be integrated with Lemur yet)\n\n### Installation\n\nI'm using nano in some commands, but you can use any editor you want of course!\n\n1. Clone the repo\n    ```sh\n    git clone https://github.com/Steccas/stecCA.git\n    ```\n2. Edit [cfssl-config.json](https://github.com/Steccas/stecCA/blob/main/cfssl-config.json) to have the right url for yor crl and oscp, it may be localhost. Leave the same ports.\n    ```sh\n    nano ./cfssl-config.json\n    ```\n3. Edit [csr_root_ca.json](https://github.com/Steccas/stecCA/blob/main/csr_root_ca.json) and [csr_intermediate_ca.json](https://github.com/Steccas/stecCA/blob/main/csr_intermediate_ca.json) to setup the right values for your root CA and intermediate CA, there are already exaple values, change them and you are good to go.\n    ```sh\n    nano ./csr_root_ca.json\n    nano ./csr_intermediate_ca.json\n    ```\n4. Similiarly, edit [ocsp.csr.json](https://github.com/Steccas/stecCA/blob/main/ocsp.csr.json) to have the right informations for your OCSP.\n    ```sh\n    nano ./ocsp.csr.json\n    ```\n    \n5. Edit [lemur.env](https://github.com/Steccas/stecCA/blob/main/lemur.env) to have the same informations available to Lemur. Don't touch the password, it will be set later automatically.\n    ```sh\n    nano ./lemur.env\n    ```\n\n6. Edit [creds.env](https://github.com/Steccas/stecCA/blob/main/creds.env) to setup username and password for DB and other services, they will be automatically changed in the other files and will be automatically used; so use a complicated one.\n    ```sh\n    nano ./creds.env\n    ```\n    CHANGE THEM, the one put in the files are meant to be a placeholder or a default password for testing at best!\n\n7. Start the setup script as root, it will ask if you configured everything, but if you don't do and something doesn't work as expected or you leave the default password (that everyone in github will know) it is up to you! Also, before running make sure that you have the execute permission flag.\n    ```sh\n    chmod u+x ./setup_cfssl.sh\n    sudo ./setup_cfssl.sh\n    ```\n\n8. The setup will ask at some point to paste the pem certs data at the bottom of [lemur.conf.py](https://github.com/Steccas/stecCA/blob/main/lemur.conf.py), it is important or Lemur WILL NOT WORK.\n    ```sh\n    nano ./lemur.conf.py\n    ```\n    and at the bottom look for these values and change them according to the outputted PEMs and your choosen url.\n    ```py\n    CFSSL_URL =\"http://ca.example.lan:8888\" #change this with machine ip or dns name\n    CFSSL_ROOT =\"\"\"\u003cinsert root pem here\u003e\"\"\"\n    CFSSL_INTERMEDIATE =\"\"\"\u003cinsert intermediate pem here\u003e\"\"\"\n    ```\n    After this it will start everything up and as a last passage it will ask to add this to crontab, of course set also your desired frequency, which wil be opened for you in 5 seconds.\n    ```sh\n    cfssl ocspdump -db-config /etc/cfssl/db_config.json\u003e /etc/cfssl/ocspdump\n    ```\n\n9. Check the health of the containers with\n    ```sh\n    docker ps\n    ```\n    If they are not healty or something doesn't work, check every passage, open an Issue or check \u003ca href=\"#support\"\u003eSupport\u003c/a\u003e.\n\n10. Enjoy\n\u003c!-- USAGE EXAMPLES --\u003e\n## Usage\n\nYou can now simply open Lemur at port 443 of your machine (using your IP, localhost, or DNS name) and log in with your defined credentials, the web interface password is defined in the `lempass` environment variable, the username is \"lemur\".\n\nOf course, remember to add your CA to your OSes and browsers.\n\nThe interface is really easy, but please refer to [Lemur documentation](https://lemur.readthedocs.io/en/latest/) for better instructions.\n\nIf you need to reboot your server it is not a problem, docker-compose should bring services up again and thanks to data persistence everything will be there.\n\nThis means that if you backup your CFSSL data and Docker volumes you can easily migrate to another machine.\n\n\u003c!-- CONTRIBUTING --\u003e\n## Contributing\n\nContributions are what make the open source community such an amazing place to be learn, inspire, and create.\n\nAnd this project can be greatly improved!\n\nAny contributions you make are **greatly appreciated**.\n\n1. Fork the Project\n2. Create your Feature Branch (`git checkout -b feature/AmazingFeature`)\n3. Commit your Changes (`git commit -m 'Add some AmazingFeature'`)\n4. Push to the Branch (`git push origin feature/AmazingFeature`)\n5. Open a Pull Request\n\nYou can also consider to help with a donation ❤️\n\u003cbr\u003e\n\n\u003ca href=\"https://github.com/sponsors/Steccas\" target=\"_blank\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/sponsor-%23F5F5F5.svg?\u0026style=for-the-badge\u0026logo=github\u0026logoColor=pink\" alt=\"GitHub Sponsor\"\u003e\n\u003c/a\u003e\n\u003ca href=\"https://www.buymeacoffee.com/steccas\" target=\"_blank\"\u003e\n    \u003cimg src=\"https://cdn.buymeacoffee.com/buttons/lato-yellow.png\" alt=\"Buy Me A Coffee\" height=\"27.8\"\u003e\n\u003c/a\u003e\n\n\n## Support\n\nThis project comes without any warranty, you are responsible for the deployment.\nIf you encounter [open an issue](https://github.com/Steccas/stecCA/issues), consider [getting a sponsor plan](https://github.com/sponsors/Steccas) or contact me to get dedicated support.\n\n\n\u003c!-- LICENSE --\u003e\n## License\n\nDistributed under the GNU GPL V3 License. See [LICENSE](https://github.com/Steccas/stecCA/blob/main/LICENSE) for more information.\n\n---\n\n\u003e [linktr.ee](https://linktr.ee/steccas) \u0026nbsp;\u0026middot;\u0026nbsp;\n\u003e GitHub [@Steccas](https://github.com/Steccas) \u0026nbsp;\u0026middot;\u0026nbsp;\n\u003e LinkedIn [Luca Steccanella](https://linkedin.com/in/lucasteccanella)\n\n\u003cbr\u003e\n\n![](https://estruyf-github.azurewebsites.net/api/VisitorHit?user=Steccas\u0026repo=stecCA\u0026countColorcountColor\u0026countColor=%237B1E7A)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsteccas%2FstecCA","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsteccas%2FstecCA","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsteccas%2FstecCA/lists"}