Shellpki is a very tiny and easy PKI in command lines.

shell security tls

Jérémy Dubois 480ead3ff2 Merge pull request 'rewrite' (#5 ) from dev into master Reviewed-on: #5		1 month ago
.gitignore	Add .swp file to gitignore	4 years ago
CHANGELOG.md	Release 22.04	1 month ago
LICENSE	Shellpki is now MIT licensed	3 years ago
README.md	Some files must be copied to ansible-roles/openvpn	1 month ago
Vagrantfile	Don't force Vagrant::DEFAULT_SERVER_URL (doesn't work with recent Vagrant version)	2 years ago
cert-expirations.sh	Add version to files that will be copied out of this repo so that we easily know if they will need an update	1 month ago
cn-filter.sh	Use logger for cn-filter	4 years ago
cn-validation.sh	New script cn-validation.sh for OpenVPN	12 months ago
ocspd.service	Add a delay for auto restart in systemd service	4 years ago
openssl.cnf	Add version to files that will be copied out of this repo so that we easily know if they will need an update	1 month ago
shellpki	Precising that the --end-date hour is in UTC +0	1 month ago

README.md

ShellPKI

This script is a wrapper around OpenSSL to manage a small PKI.

Contribution

After an update of this repo and if everything is working fine, some files must be copied to ansible-roles/openvpn

Install

Debian

useradd shellpki --system -M --home-dir /etc/shellpki --shell /usr/sbin/nologin
mkdir /etc/shellpki
install -m 0640 openssl.cnf /etc/shellpki/
install -m 0755 shellpki /usr/local/sbin/shellpki
chown -R shellpki: /etc/shellpki

# visudo -f /etc/sudoers.d/shellpki
%shellpki ALL = (root) /usr/local/sbin/shellpki

OpenBSD

useradd -r 1..1000 -d /etc/shellpki -s /sbin/nologin _shellpki
mkdir /etc/shellpki
install -m 0640 openssl.cnf /etc/shellpki/
install -m 0755 shellpki /usr/local/sbin/shellpki
chown -R _shellpki:_shellpki /etc/shellpki

# visudo -f /etc/sudoers
%_shellpki ALL = (root) /usr/local/sbin/shellpki

OpenVPN

If you want auto-generation of the OpenVPN config file in /etc/shellpki/openvpn, you need to create a template file in /etc/shellpki/ovpn.conf, eg. :

client
dev tun
tls-client
proto udp

remote ovpn.example.com 1194

nobind
user nobody
group nogroup
persist-key
persist-tun

cipher AES-256-GCM

Usage

Usage: shellpki <subcommand> [options] [CommonName]

Initialize PKI (create CA key and self-signed certificate) :

shellpki init [options] <commonName_for_CA>

Options
    --non-interactive           do not prompt the user, and exit if an error occurs

Create a client certificate with key and CSR directly generated on server :

shellpki create [options] <commonName>

Options
    -f, --file, --csr-file      create a client certificate from a CSR (doesn't need key)
    -p, --password              prompt the user for a password to set on the client key
        --password-file         if provided with a path to a readable file, the first line is read and set as password on the client key
        --days                  specify how many days the certificate should be valid
        --end-date              specify until which date the certificate should be valid, in YYYY/MM/DD hh:mm:ss format, UTC +0
        --non-interactive       do not prompt the user, and exit if an error occurs
        --replace-existing      if the certificate already exists, revoke it before creating a new one

Revoke a client certificate :

shellpki revoke [options] <commonName>

Options
    --non-interactive           do not prompt the user, and exit if an error occurs

List all certificates :

shellpki list <options>

Options
    -a, --all                   list all certificates : valid and revoked ones
    -v, --valid                 list all valid certificates
    -r, --revoked               list all revoked certificates

Check expiration date of valid certificates :

shellpki check

Run OCSP_D server :

shellpki ocsp <ocsp_uri:ocsp_port>

Show version :

shellpki version

Show help :

shellpki help

License

ShellPKI is an Evolix project and is licensed under the MIT license.