Shellpki is a very tiny and easy PKI in command lines.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Go to file
Jérémy Dubois a026f2dbd4
README forgot a line
6 months ago
.gitignore Add .swp file to gitignore 4 years ago
CHANGELOG.md Release 22.04 10 months ago
LICENSE Shellpki is now MIT licensed 4 years ago
README.md README forgot a line 6 months ago
Vagrantfile Don't force Vagrant::DEFAULT_SERVER_URL (doesn't work with recent Vagrant version) 3 years ago
cert-expirations.sh Add version to files that will be copied out of this repo so that we easily know if they will need an update 10 months ago
cn-filter.sh Use logger for cn-filter 5 years ago
cn-validation.sh New script cn-validation.sh for OpenVPN 2 years ago
ocspd.service Add a delay for auto restart in systemd service 5 years ago
openssl.cnf Add version to files that will be copied out of this repo so that we easily know if they will need an update 10 months ago
shellpki Precising that the --end-date hour is in UTC +0 10 months ago

README.md

ShellPKI

This script is a wrapper around OpenSSL to manage a small PKI.

Contribution

After an update of this repo and if everything is working fine, some files must be copied to ansible-roles/openvpn

Install

Debian

useradd shellpki --system -M --home-dir /etc/shellpki --shell /usr/sbin/nologin
mkdir /etc/shellpki
install -m 0640 openssl.cnf /etc/shellpki/
install -m 0755 shellpki /usr/local/sbin/shellpki
chown -R shellpki: /etc/shellpki
# visudo -f /etc/sudoers.d/shellpki
%shellpki ALL = (root) /usr/local/sbin/shellpki

OpenBSD

useradd -r 1..1000 -d /etc/shellpki -s /sbin/nologin _shellpki
mkdir /etc/shellpki
install -m 0640 openssl.cnf /etc/shellpki/
install -m 0755 shellpki /usr/local/sbin/shellpki
chown -R _shellpki:_shellpki /etc/shellpki
# visudo -f /etc/sudoers
%_shellpki ALL = (root) /usr/local/sbin/shellpki

OpenVPN

If you want auto-generation of the OpenVPN config file in /etc/shellpki/openvpn, you need to create a template file in /etc/shellpki/ovpn.conf, eg. :

client
dev tun
tls-client
proto udp

remote ovpn.example.com 1194

nobind
user nobody
group nogroup
persist-key
persist-tun

cipher AES-256-GCM

Usage

Usage: shellpki <subcommand> [options] [CommonName]

Initialize PKI (create CA key and self-signed certificate) :

shellpki init [options] <commonName_for_CA>

Options
    --non-interactive           do not prompt the user, and exit if an error occurs

Create a client certificate with key and CSR directly generated on server :

shellpki create [options] <commonName>

Options
    -f, --file, --csr-file      create a client certificate from a CSR (doesn't need key)
    -p, --password              prompt the user for a password to set on the client key
        --password-file         if provided with a path to a readable file, the first line is read and set as password on the client key
        --days                  specify how many days the certificate should be valid
        --end-date              specify until which date the certificate should be valid, in YYYY/MM/DD hh:mm:ss format, UTC +0
        --non-interactive       do not prompt the user, and exit if an error occurs
        --replace-existing      if the certificate already exists, revoke it before creating a new one

Revoke a client certificate :

shellpki revoke [options] <commonName>

Options
    --non-interactive           do not prompt the user, and exit if an error occurs

List all certificates :

shellpki list <options>

Options
    -a, --all                   list all certificates : valid and revoked ones
    -v, --valid                 list all valid certificates
    -r, --revoked               list all revoked certificates

Check expiration date of valid certificates :

shellpki check

Run OCSP_D server :

shellpki ocsp <ocsp_uri:ocsp_port>

Show version :

shellpki version

Show help :

shellpki help

Loop

We can loop over a file to revoke or create many certificates at once.

To revoke :

$ read CA_PASS
$ for cert_name in $(cat /path/to/file_certs_to_revoke); do CA_PASSWORD=$CA_PASS shellpki revoke $cert_name --non-interactive ; done

To create (without --replace-existing) or renew (with --replace-existing), with a password on the client key :

$ read CA_PASS
$ for cert_name in $(cat /path/to/file_certs_to_create); do apg -n 1 -m 16 -M lcN > /path/to/folder/to/store/${cert_name}.passwd; CA_PASSWORD=$CA_PASS shellpki create --replace-existing --non-interactive --password-file /path/to/folder/to/store/${cert_name}.passwd ${cert_name}; done

License

ShellPKI is an Evolix project and is licensed under the MIT license.