Generate and manage an internal CA for your company
HTML Shell Other Makefile
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
bin
lib
share
.gitignore
.travis.yml
LICENSE
Makefile
README.md
test.sh

README.md

Certified

It's a scary Internet out there. All your company's internal apps and service-to-service communication should be encrypted. Certified will help you generate all the certificates you need to make that happen.

Installation

sudo apt-get install ruby-ronn
sudo make install

For some version of apt-get and some version of ruby-ronn. The point being you need to make sure you have ronn installed.

Or from packages.rcrowley.org on Debian or Ubuntu:

echo "deb http://packages.rcrowley.org $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/rcrowley.list
sudo wget -O /etc/apt/trusted.gpg.d/rcrowley.gpg http://packages.rcrowley.org/keyring.gpg
sudo apt-get update
sudo apt-get -y install certified

All you need is /bin/sh, GNU coreutils, and OpenSSL.

Usage

Generate your CA:

certified-ca C="US" ST="CA" L="San Francisco" O="Example" CN="Example CA"

You're going to want to trust the root CA certificate on all your laptops and servers. See Trust your CA in the wiki to learn how.

Generate a wildcard certificate:

certified CN="internal.example.com" +"*.internal.example.com"

Generate a certificate with several DNS names:

certified CN="ops.example.com" +"git.ops.example.com" +"jenkins.ops.example.com"

Generate a certificate for an IP address:

certified CN="localhost" +"127.0.0.1"

Install your certificates on all your servers.

The wiki further documents common usage patterns and how to use your CA with various browsers, operating systems, and programming languages.

TODO

  • Example TLS clients that verify certificates with the CA (in various languages).
  • Example TLS servers that use one of these certificates (in various languages).
  • Help users with PFS.
  • Help users with session resumption.
  • Help users run OSCP responders.

TODONE

  • Generate a CA.
  • Generate certificates signed by the CA.
  • Generate self-signed certificates.
  • Revoke and regenerate certificates.
  • Support DNS and IP subject alternative names.
  • Prevent invalid DNS names, wildcards, and IPs.
  • Commit changes to a Git repository.
  • Generate basic CRLs.
  • Installer.
  • Uninstaller.
  • man pages.
  • Document how to install the CA on Linux.
  • Document how to install the CA so browsers can use it.
  • Document how to run a CA like Betable's.
  • Decouple private keys and certificate signing requests from the signing itself.
  • Document GPG-encrypted backups of your CA.
  • YAML generator for use with Hiera/Puppet.
  • Document how to run an autosigning sub-CA.
  • Tag certificates with CRL distribution points and OCSP responder URLs.
  • Command for listing every certificate to support automation.
  • Document revoking and regenerating the entire CA.