https://github.com/openxpki/clca

Command line CA, including bootable Root CA medium and Secret Sharing
https://github.com/openxpki/clca

bootable command-line offline-root pki root-ca secret-sharing

Last synced: 3 months ago
JSON representation

Command line CA, including bootable Root CA medium and Secret Sharing

• Host: GitHub
• URL: https://github.com/openxpki/clca
• Owner: openxpki
• License: gpl-2.0
• Created: 2013-08-13T11:10:07.000Z (over 12 years ago)
• Default Branch: master
• Last Pushed: 2026-01-10T11:31:29.000Z (4 months ago)
• Last Synced: 2026-01-11T03:36:36.086Z (4 months ago)
• Topics: bootable, command-line, offline-root, pki, root-ca, secret-sharing
• Language: Shell
• Homepage:
• Size: 241 KB
• Stars: 40
• Watchers: 7
• Forks: 19
• Open Issues: 2
• Metadata Files:
  • Readme: README.keyceremony-shared-interactive.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Interactive Secret Sharing CA runbook example

This is an example runbook for an interactive key ceremony using Secret Sharing.

2013-12-16 Martin Bartosch

# Creation of a secret share set and CA initialization

Assumptions:

3072 Bit RSA key protected by a 128 Bit random pass phrase.

The pass phrase is split into 5 shares, of which 3 will be needed to perform CA operations.

```

1. Preparation of CLCA configuration

export K=3

export N=5

rm -rf dummyca/

mkdir -p dummyca/etc

mkdir -p dummyca/private/

chmod 700 dummyca/private/

cp etc/clca.cfg dummyca/etc/

cp etc/openssl.cnf dummyca/etc/

cat <>dummyca/etc/clca.cfg

get_passphrase() {

   eval \`../bin/secret get --n $N --k $K\`

   echo \$PASSPHRASE

}

EOF

2. Generate CA key and perform secret sharing.

Required: you need N=5 persons for safekeeping of the CA shares.

eval `./bin/secret generate  --n $N --k $K` openssl genrsa -aes256 -passout env:PASSPHRASE -out dummyca/private/rsa-rootkey 3072

Each share holder must copy the displayed share literally and keep it.

3. Create the CA certificate

cd dummyca

../bin/clca initialize

4. Create initial CRL

../bin/clca issuecrl

5. Sign certificate

../bin/clca certify --profile foo REQUEST

```

## Replacing a secret share set

If a share gets lost or if the existing quorum should be changed to a different one, it is possible to recreate the secret share set with a completely different secret share set, replacing the old share set.

This is done be decrypting the private key with the old quorum and re-encrypting the key with a newly created quorum, thus also changing the underlying passphrase.

Please note that the old private key file with the old share set will still be sufficient to unlock the private key, so make sure to destroy the old set and key once it has been verified that the new share set works.

The following procedure (also available as bin/change-quorum.sh) can be applied to perform this task.

Please note that you need to edit the script to adapt old and new quorum parameters. The script will fail if these parameters are not correct.

```bash

#!/bin/bash -e

#

# 2019-12 Martin Bartosch

# This script can assist CA Administrators in recreating a secret sharing

# quorum.

# specify old (existing) quorum

K_OLD=3

N_OLD=5

# new quorum, default: identical to old quorum

K_NEW=$K_OLD

N_NEW=$N_OLD

KEY_OLD="$1"

KEY_NEW="$2"

if [ -z "$KEY_NEW" ] ; then

cat <