https://github.com/duesee/mkpki

https://github.com/duesee/mkpki

Last synced: about 2 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/duesee/mkpki
• Owner: duesee
• Created: 2024-06-26T12:58:00.000Z (11 months ago)
• Default Branch: main
• Last Pushed: 2025-02-20T14:07:29.000Z (3 months ago)
• Last Synced: 2025-02-20T15:23:54.341Z (3 months ago)
• Language: Rust
• Size: 17.6 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 7
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# mkpki

A tool to generate a two-tier PKI with zones separated by [Name Constraints](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10).

This architecture allows efficient zone revocation and reduces the severity of a key compromise:

If an intermediate key is compromised, the damage is limited to a specific zone.

If the root key is compromised, the damage is limited to a specific domain.

```text

Usage: mkpki [--seed ]  []

mkpki.

Options:

  --seed            ONLY FOR TESTING: seed CSPRNG with `sha256(argument)`

  --help            display usage information

Commands:

  root              Create root certificate.

  intermediate      Create intermediate certificate.

  leaf              Create leaf certificate.

```

## Overview

```mermaid

flowchart TD

    A(example.org) --> B(zone1.example.org)

    A --> C(zone2.example.org)

    B --> D(leaf1.zone1.example.org)

    C --> E(leaf1.zone2.example.org)

    C --> F(leaf2.zone2.example.org)

```

* The root CA is constraint to a specific domain, e.g., `example.org`, meaning that all certificates issued by the root CA are only ever valid for subdomains of `example.org`.

* The intermediate CA is constraint to an even more specific domain, e.g., `zone1.example.org`, meaning that all certificates issued by the intermediate CA are only ever valid for subdomains of `zone1.example.org`.

* The leaf certificates are typical X.509 leaf certificates and cannot be used for further issuance.