CA management utility.
Shell ApacheConf HTML CSS
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
CAconnect
apache-example
bin
README
examples.bash
flipped.bash

README

  CAdir is a script for managing an x509 Certificate Authority, offering
  request signing and queries of the CA.

  CAdir receives the request or query parameters on standard in, locks the CA
  with a POSIX lock and performs the requested action. One use case for CAdir
  is as an SSH forced command, allowing nodes in a cluster of computers to
  concurrently make authenticated requests of the CA.


                                                              Command Language
   ----------------------------------------------------------------------------

    <request>     = sign<nl><request bytes>   # Sign the request.
                  | crt                       # Get the CA cert.
                  | crl                       # Obtain an up to date CRL.


                                Creating A Certificate Authority & Using CAdir
   ----------------------------------------------------------------------------

    To create a certificate authority with OpenSSL is easy, if hard to uncover:

      openssl req -new -newkey rsa:2048 -x509 -days 1095 \
                  -keyout ca.key -out ca.crt \
                  -subj '/CN=example.com/O=ECom/C=US/ST=Oregon/L=Portland'

    It will ask you to enter a password for your key; this is a good
    practice. When you deploy CAdir, unencrypt your key:

      openssl rsa < ./ca.key > ./ca.plain.key

    CAdir will prefer a file called `ca.plain.key' if it exists. Otherwise, it
    uses `ca.key'. Now create a new private key and certificate signing
    request:

      openssl req -new -newkey rsa:2048 -nodes -keyout mail.key -out mail.csr \
                  -subj '/CN=mail.example.com/O=ECom/C=US/ST=Oregon/L=Portland'

    Here, you are creating a key for your mail server. The `nodes' option
    causes OpenSSL to skip asking you to encrypt the key (probably okay for
    your mail server).

    Let's sign the certificate signing request to get a signed cert:

      (echo -n 'sign :' ; cat ./mail.csr) | CAdir ./ | sed 1d > ./mail.crt

    (We strip off the first line with Sed because that is CAdir's status
    message.) Look upon your cert, marvel at its beauty:

      openssl x509 -text < ./mail.crt

    CAdir has a bunch of things to say, which it will put on STDOUT. Much of
    this info is placed in ./CAdir/log, as well. CAdir has an option to log to
    syslog, too.


                                          Using CAdir As An SSH Forced Command
   ----------------------------------------------------------------------------

    The CAdir command is meant to be used as an SSH forced command. It
    carefully handles both input and output to prevent the underlying system
    from being compromised.

    Here is an example of an authorized_keys file with CAdir as a forced
    command for one of the keys:

      ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAorDE3jQONw+sixlnuJ3d2qlqi0KLUyPohT86ZOBKtJPeRQ082/DJ1qSVI1c/hnPEIU7ymbKcOWT5fP1kaBRv4jOKzQYwZb083rBr5kv50F3HgOnTWs/9Z1b80+Bn69N/BcQmwTlgKBv3FQ+8vjtJ1Q1X3++pgUBRm5aD3JyCcLGPVJHPlLTbXEoYGJUBxZb58pw+PbH+FyakaRN8xTSrOg1BygvQpFrBIVRlyFgtPKBOruWYTv05M645q6/MTmfeBlQYFzTJz8yqub6EWy2dHlQjMkQgO+3sbgBCe3J+ikm4RoVGO5CXnXLQXtyKzbMnumapjwx7TaaegUDZIDSvyw== jason

      command="~/CAdir/bin/CAdir ~/ca --syslog" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqAFL/UT+YhKObrXpMQM2BbS7LmCLXBcE9UrgLFuDNAGltnRxB17lCyXtJJivqV5pZApUHNL8XC21d7sy+I5oUgxwpwgL53foEB2G8BLlzEPGcBA47lpeMiW2OrfXsuUDk8oBlV5/3SNQ2rhEUVWzXEk0mHPtRe99HYEsGK4F3mgpEiuenf20qYiEkhLGDJB2u5N8aTuoI7vIklxejMXXJRSUvg9xbCnLSsDkFvElLS7cmhAu1zAwf03tZia5pC+ZRIHMQP5tihhqOzuLW1fENmq3v39hAFVVu7FRHcztm3v8iON56If6GZIFx3WH18OPBdrySfTl8fAmNz9o/HCBaQ== ca-connector

    You can distribute the private part of the key pair wherever you like and
    (crosses fingers) the holder can sign certs but can not access the CA's
    private key directly.


                                                                   CAdir.admin
   ----------------------------------------------------------------------------

    An example: setup a certificate authority, sign a CSR, revoke the cert
    and fetch the CRL.

      CAdir.admin setup ./foo
      (echo sign ; cat mail.csr) | CAdir ./foo | sed 1d > mail.crt
      CAdir.admin revoke cn=mail.example.com ./foo
      echo csr | CAdir ./foo | sed 1d > example.crl