Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/solidsnack/cadir
CA management utility.
https://github.com/solidsnack/cadir
Last synced: about 1 month ago
JSON representation
CA management utility.
- Host: GitHub
- URL: https://github.com/solidsnack/cadir
- Owner: solidsnack
- Created: 2010-12-30T02:48:10.000Z (almost 14 years ago)
- Default Branch: master
- Last Pushed: 2015-06-05T00:25:21.000Z (over 9 years ago)
- Last Synced: 2023-04-09T12:18:33.597Z (over 1 year ago)
- Language: Shell
- Homepage:
- Size: 144 KB
- Stars: 2
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README
Awesome Lists containing this project
README
CAdir is a script for managing an x509 Certificate Authority, offering
request signing and queries of the CA.CAdir receives the request or query parameters on standard in, locks the CA
with a POSIX lock and performs the requested action. One use case for CAdir
is as an SSH forced command, allowing nodes in a cluster of computers to
concurrently make authenticated requests of the CA.Command Language
----------------------------------------------------------------------------= sign # Sign the request.
| crt # Get the CA cert.
| crl # Obtain an up to date CRL.Creating A Certificate Authority & Using CAdir
----------------------------------------------------------------------------To create a certificate authority with OpenSSL is easy, if hard to uncover:
openssl req -new -newkey rsa:2048 -x509 -days 1095 \
-keyout ca.key -out ca.crt \
-subj '/CN=example.com/O=ECom/C=US/ST=Oregon/L=Portland'It will ask you to enter a password for your key; this is a good
practice. When you deploy CAdir, unencrypt your key:openssl rsa < ./ca.key > ./ca.plain.key
CAdir will prefer a file called `ca.plain.key' if it exists. Otherwise, it
uses `ca.key'. Now create a new private key and certificate signing
request:openssl req -new -newkey rsa:2048 -nodes -keyout mail.key -out mail.csr \
-subj '/CN=mail.example.com/O=ECom/C=US/ST=Oregon/L=Portland'Here, you are creating a key for your mail server. The `nodes' option
causes OpenSSL to skip asking you to encrypt the key (probably okay for
your mail server).Let's sign the certificate signing request to get a signed cert:
(echo -n 'sign :' ; cat ./mail.csr) | CAdir ./ | sed 1d > ./mail.crt
(We strip off the first line with Sed because that is CAdir's status
message.) Look upon your cert, marvel at its beauty:openssl x509 -text < ./mail.crt
CAdir has a bunch of things to say, which it will put on STDOUT. Much of
this info is placed in ./CAdir/log, as well. CAdir has an option to log to
syslog, too.Using CAdir As An SSH Forced Command
----------------------------------------------------------------------------The CAdir command is meant to be used as an SSH forced command. It
carefully handles both input and output to prevent the underlying system
from being compromised.Here is an example of an authorized_keys file with CAdir as a forced
command for one of the keys:ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAorDE3jQONw+sixlnuJ3d2qlqi0KLUyPohT86ZOBKtJPeRQ082/DJ1qSVI1c/hnPEIU7ymbKcOWT5fP1kaBRv4jOKzQYwZb083rBr5kv50F3HgOnTWs/9Z1b80+Bn69N/BcQmwTlgKBv3FQ+8vjtJ1Q1X3++pgUBRm5aD3JyCcLGPVJHPlLTbXEoYGJUBxZb58pw+PbH+FyakaRN8xTSrOg1BygvQpFrBIVRlyFgtPKBOruWYTv05M645q6/MTmfeBlQYFzTJz8yqub6EWy2dHlQjMkQgO+3sbgBCe3J+ikm4RoVGO5CXnXLQXtyKzbMnumapjwx7TaaegUDZIDSvyw== jason
command="~/CAdir/bin/CAdir ~/ca --syslog" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqAFL/UT+YhKObrXpMQM2BbS7LmCLXBcE9UrgLFuDNAGltnRxB17lCyXtJJivqV5pZApUHNL8XC21d7sy+I5oUgxwpwgL53foEB2G8BLlzEPGcBA47lpeMiW2OrfXsuUDk8oBlV5/3SNQ2rhEUVWzXEk0mHPtRe99HYEsGK4F3mgpEiuenf20qYiEkhLGDJB2u5N8aTuoI7vIklxejMXXJRSUvg9xbCnLSsDkFvElLS7cmhAu1zAwf03tZia5pC+ZRIHMQP5tihhqOzuLW1fENmq3v39hAFVVu7FRHcztm3v8iON56If6GZIFx3WH18OPBdrySfTl8fAmNz9o/HCBaQ== ca-connector
You can distribute the private part of the key pair wherever you like and
(crosses fingers) the holder can sign certs but can not access the CA's
private key directly.CAdir.admin
----------------------------------------------------------------------------An example: setup a certificate authority, sign a CSR, revoke the cert
and fetch the CRL.CAdir.admin setup ./foo
(echo sign ; cat mail.csr) | CAdir ./foo | sed 1d > mail.crt
CAdir.admin revoke cn=mail.example.com ./foo
echo csr | CAdir ./foo | sed 1d > example.crl