Generate and manage an internal CA for your company
License: Other
This repository is meant to be my home directory, which, if you're not provisioning systems with Puppet code that does this for you, is a slightly awkward thing to accomplish. I do roughly the following with new boxen:
cd
git init
git remote add "origin" "git://github.com/rcrowley/home.git"
git remote update "origin"
git pull "origin" "master"
OpenVPN wants to verify certificates in specific roles as client -> server. It would be helpful to have support for generating certificates with the extensions for that (like extendedKeyUsage=client).
See: https://github.com/OpenVPN/easy-rsa/tree/master/easyrsa3/x509-types
Sha1 as the default is probably not ideal, and there doesn't seem to be a straightforward way to use a different signature algorithm.
Hello!
I've been playing with certified and it looks pretty cool so far. One thing that would be nice to have is an option to generate encrypted keys for more than just the root CA; for now, I've been piping the generated keys through openssl rsa -des3 -in blah -out blah to encrypt them, but I'd be more comfortable if they were never on disk in plaintext in the first place.
I'm trying to do a multi-intermediate certified hierarchy roughly like the following:
root-ca
- ca-for-product-a
- ca-for-product-b
I can generate the intermediates with certified --ca --issuer="root-ca" and then use them with certified --issuer="ca-for-product-a" and everything mostly works; however, when certified prints the certificate chain, it always cats certs/ca.crt instead of the actual intermediate certificate.
Hi,
We already have a git repository of certificates, and it would be ideal for us if this did not also try to make one. We'd rather have this be a subdirectory (not a submodule) within that repo.
Thanks!
When creating a new root and intermediate CA with the --root-crl-url and --crl-url params, I expected the root-ca.crt would contain a CRL DP matching the root-crl-url and the intermediat ca.crt would contain the crl-url, but I only see the root-crl-url in the intermediate ca.crt and no crl dp in the root-ca.crt. My expectation was that the root-ca.crt would contain the --root-crl-url and the intermediate ca.crt would contain the --crl-url. Is this a bug?
certified-ca --db=test --root-password='test' \
--root-crl-url=https://example.tld/rootca.crl \
--crl-url=https://example.tld/ca.crl \
--ocsp-url=https://ocsp.example.tld \
C="US" ST="CA" L="San Francisco" O="joe" CN=testCA
openssl x509 -text -noout -in test/certs/root-ca.crt | grep -i crl
Non Repudiation, Certificate Sign, CRL Sign
openssl x509 -text -noout -in test/certs/ca.crt | grep -i crl
X509v3 CRL Distribution Points:
URI:https://home.joeym.net/rootca.crl
Non Repudiation, Certificate Sign, CRL Sign
There is 1 sed command in the scripts (bin/certified-crt:53) that fails on OS X.
OS X sed (BSD) handles the -i option differently than the GNU/Linux one.
On OS X you have to specify a backup extension (which can be empty).
A syntax which seems to work for both BSD and GNU sed versions is
sed -i.bak 's/foo/bar/' fileThis leaves you with a backup file though.
Updated: only 1 sed command fails, not all 3
My co-worker generated a CA and some certificates using the openssl version that comes bundled with Mac OS X 10.9.4, and everything worked fine. Me on the other hand, running Mac OS X 10.9.5, am unable to generate any certificates (using the same CA files and whatnot), and the failure message I receive is:
The localityName field needed to be the same in the
CA certificate (Göteborg) and the request (Göteborg).
After scavenging through some websites and man pages I found the option string_mask and tried to explicitly set the option in the configuration that's generated here to default, and after that it works fine (and the city name is displayed correctly).
Unfortunately I don't know what version of openssl that's used on Mac OS X 10.9.4, but on 10.9.5 it's OpenSSL 0.9.8za, though I believe Apple has rolled their own version of openssl.
Bottom line is whether it's possible to support different string_mask configuration values in certified in some non-invasive way? Or is there some other way we can work around this? (Besides forking the project and simply adding the configuration option...).
When trying to use the packages.rcrowley.org repo I am told:
The repository 'http://packages.rcrowley.org main Release' does not have a Release file.
I am running Debian testing, and would prefer to install certified as a package over a git repo for ease of keeping it up-to-date.
Sam pointed out that by integrating http://point-at-infinity.org/ssss/, Certified could almost prevent anyone ever knowing the root CA's private key.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.