https://github.com/duesee/mkpki
https://github.com/duesee/mkpki
Last synced: about 2 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/duesee/mkpki
- Owner: duesee
- Created: 2024-06-26T12:58:00.000Z (11 months ago)
- Default Branch: main
- Last Pushed: 2025-02-20T14:07:29.000Z (3 months ago)
- Last Synced: 2025-02-20T15:23:54.341Z (3 months ago)
- Language: Rust
- Size: 17.6 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 7
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# mkpki
A tool to generate a two-tier PKI with zones separated by [Name Constraints](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10).
This architecture allows efficient zone revocation and reduces the severity of a key compromise:
If an intermediate key is compromised, the damage is limited to a specific zone.
If the root key is compromised, the damage is limited to a specific domain.```text
Usage: mkpki [--seed ] []mkpki.
Options:
--seed ONLY FOR TESTING: seed CSPRNG with `sha256(argument)`
--help display usage informationCommands:
root Create root certificate.
intermediate Create intermediate certificate.
leaf Create leaf certificate.
```## Overview
```mermaid
flowchart TD
A(example.org) --> B(zone1.example.org)
A --> C(zone2.example.org)
B --> D(leaf1.zone1.example.org)
C --> E(leaf1.zone2.example.org)
C --> F(leaf2.zone2.example.org)
```* The root CA is constraint to a specific domain, e.g., `example.org`, meaning that all certificates issued by the root CA are only ever valid for subdomains of `example.org`.
* The intermediate CA is constraint to an even more specific domain, e.g., `zone1.example.org`, meaning that all certificates issued by the intermediate CA are only ever valid for subdomains of `zone1.example.org`.
* The leaf certificates are typical X.509 leaf certificates and cannot be used for further issuance.