2018-12-26 14:07:22 -05:00
|
|
|
# ShellPKI
|
2017-05-20 23:36:47 -04:00
|
|
|
|
2018-12-26 14:07:22 -05:00
|
|
|
This script is a wrapper around OpenSSL to manage a small
|
|
|
|
[PKI](https://en.wikipedia.org/wiki/Public_key_infrastructure).
|
2017-05-20 23:36:47 -04:00
|
|
|
|
2022-04-14 16:47:33 +02:00
|
|
|
## Contribution
|
|
|
|
|
|
|
|
After an update of this repo and if everything is working fine, some files must
|
|
|
|
be copied to [ansible-roles/openvpn](https://gitea.evolix.org/evolix/ansible-roles/src/branch/unstable/openvpn/files/shellpki)
|
|
|
|
|
2018-01-17 12:21:39 +01:00
|
|
|
## Install
|
2017-05-20 23:36:47 -04:00
|
|
|
|
2018-10-24 15:21:43 +02:00
|
|
|
### Debian
|
|
|
|
|
2018-01-17 12:21:39 +01:00
|
|
|
~~~
|
|
|
|
useradd shellpki --system -M --home-dir /etc/shellpki --shell /usr/sbin/nologin
|
2018-10-24 15:21:43 +02:00
|
|
|
mkdir /etc/shellpki
|
2018-01-17 12:21:39 +01:00
|
|
|
install -m 0640 openssl.cnf /etc/shellpki/
|
2019-03-06 13:42:18 +01:00
|
|
|
install -m 0755 shellpki /usr/local/sbin/shellpki
|
2018-10-24 15:21:43 +02:00
|
|
|
chown -R shellpki: /etc/shellpki
|
2018-01-17 12:21:39 +01:00
|
|
|
~~~
|
2017-05-20 23:36:47 -04:00
|
|
|
|
2018-01-31 15:15:47 +01:00
|
|
|
~~~
|
|
|
|
# visudo -f /etc/sudoers.d/shellpki
|
|
|
|
%shellpki ALL = (root) /usr/local/sbin/shellpki
|
|
|
|
~~~
|
|
|
|
|
2018-10-24 15:21:43 +02:00
|
|
|
### OpenBSD
|
|
|
|
|
|
|
|
~~~
|
|
|
|
useradd -r 1..1000 -d /etc/shellpki -s /sbin/nologin _shellpki
|
|
|
|
mkdir /etc/shellpki
|
|
|
|
install -m 0640 openssl.cnf /etc/shellpki/
|
2019-03-06 13:42:18 +01:00
|
|
|
install -m 0755 shellpki /usr/local/sbin/shellpki
|
2018-10-24 15:21:43 +02:00
|
|
|
chown -R _shellpki:_shellpki /etc/shellpki
|
|
|
|
~~~
|
|
|
|
|
|
|
|
~~~
|
|
|
|
# visudo -f /etc/sudoers
|
|
|
|
%_shellpki ALL = (root) /usr/local/sbin/shellpki
|
|
|
|
~~~
|
|
|
|
|
2018-10-24 15:38:31 +02:00
|
|
|
## OpenVPN
|
|
|
|
|
2018-12-26 14:07:22 -05:00
|
|
|
If you want auto-generation of the OpenVPN config file in
|
|
|
|
/etc/shellpki/openvpn, you need to create a template file in
|
|
|
|
/etc/shellpki/ovpn.conf, eg. :
|
2018-10-24 15:38:31 +02:00
|
|
|
|
|
|
|
~~~
|
|
|
|
client
|
|
|
|
dev tun
|
|
|
|
tls-client
|
|
|
|
proto udp
|
|
|
|
|
|
|
|
remote ovpn.example.com 1194
|
|
|
|
|
2022-03-14 10:55:06 +01:00
|
|
|
nobind
|
2022-03-22 18:01:22 +01:00
|
|
|
user nobody
|
|
|
|
group nogroup
|
2018-10-24 15:38:31 +02:00
|
|
|
persist-key
|
|
|
|
persist-tun
|
|
|
|
|
2022-03-22 18:01:22 +01:00
|
|
|
cipher AES-256-GCM
|
2018-10-24 15:38:31 +02:00
|
|
|
~~~
|
|
|
|
|
2018-01-17 12:21:39 +01:00
|
|
|
## Usage
|
2017-05-20 23:36:47 -04:00
|
|
|
|
2018-01-17 12:21:39 +01:00
|
|
|
~~~
|
2022-03-22 18:01:22 +01:00
|
|
|
Usage: shellpki <subcommand> [options] [CommonName]
|
2018-12-26 14:07:22 -05:00
|
|
|
~~~
|
2017-05-20 23:36:47 -04:00
|
|
|
|
2022-03-22 18:08:57 +01:00
|
|
|
Initialize PKI (create CA key and self-signed certificate) :
|
2017-05-20 23:36:47 -04:00
|
|
|
|
2018-12-26 14:07:22 -05:00
|
|
|
~~~
|
2022-03-29 18:10:47 +02:00
|
|
|
shellpki init [options] <commonName_for_CA>
|
2022-03-22 18:01:22 +01:00
|
|
|
|
2022-03-22 18:11:17 +01:00
|
|
|
Options
|
|
|
|
--non-interactive do not prompt the user, and exit if an error occurs
|
2022-03-22 18:01:22 +01:00
|
|
|
~~~
|
|
|
|
|
2022-03-22 18:08:57 +01:00
|
|
|
Create a client certificate with key and CSR directly generated on server :
|
2022-03-22 18:01:22 +01:00
|
|
|
|
|
|
|
~~~
|
2022-03-29 18:10:47 +02:00
|
|
|
shellpki create [options] <commonName>
|
2022-03-22 18:01:22 +01:00
|
|
|
|
2022-03-22 18:11:17 +01:00
|
|
|
Options
|
|
|
|
-f, --file, --csr-file create a client certificate from a CSR (doesn't need key)
|
|
|
|
-p, --password prompt the user for a password to set on the client key
|
|
|
|
--password-file if provided with a path to a readable file, the first line is read and set as password on the client key
|
|
|
|
--days specify how many days the certificate should be valid
|
2022-04-14 15:53:59 +02:00
|
|
|
--end-date specify until which date the certificate should be valid, in YYYY/MM/DD hh:mm:ss format, UTC +0
|
2022-03-22 18:11:17 +01:00
|
|
|
--non-interactive do not prompt the user, and exit if an error occurs
|
|
|
|
--replace-existing if the certificate already exists, revoke it before creating a new one
|
2022-03-22 18:01:22 +01:00
|
|
|
~~~
|
|
|
|
|
2022-03-22 18:08:57 +01:00
|
|
|
Revoke a client certificate :
|
2022-03-22 18:01:22 +01:00
|
|
|
|
|
|
|
~~~
|
2022-03-29 18:10:47 +02:00
|
|
|
shellpki revoke [options] <commonName>
|
2022-03-22 18:01:22 +01:00
|
|
|
|
2022-03-22 18:11:17 +01:00
|
|
|
Options
|
|
|
|
--non-interactive do not prompt the user, and exit if an error occurs
|
2022-03-22 18:01:22 +01:00
|
|
|
~~~
|
|
|
|
|
|
|
|
List all certificates :
|
|
|
|
|
|
|
|
~~~
|
2022-03-22 18:11:17 +01:00
|
|
|
shellpki list <options>
|
2022-03-22 18:01:22 +01:00
|
|
|
|
2022-03-22 18:11:17 +01:00
|
|
|
Options
|
|
|
|
-a, --all list all certificates : valid and revoked ones
|
|
|
|
-v, --valid list all valid certificates
|
|
|
|
-r, --revoked list all revoked certificates
|
2018-12-26 14:07:22 -05:00
|
|
|
~~~
|
2017-05-20 23:36:47 -04:00
|
|
|
|
2022-03-22 18:01:22 +01:00
|
|
|
Check expiration date of valid certificates :
|
2018-01-17 12:21:39 +01:00
|
|
|
|
2018-12-26 14:07:22 -05:00
|
|
|
~~~
|
2022-03-22 18:11:17 +01:00
|
|
|
shellpki check
|
2018-12-26 14:07:22 -05:00
|
|
|
~~~
|
2018-01-17 12:21:39 +01:00
|
|
|
|
2022-03-22 18:01:22 +01:00
|
|
|
Run OCSP_D server :
|
2018-01-17 12:21:39 +01:00
|
|
|
|
2018-12-26 14:07:22 -05:00
|
|
|
~~~
|
2022-03-22 18:11:17 +01:00
|
|
|
shellpki ocsp <ocsp_uri:ocsp_port>
|
2018-12-26 14:07:22 -05:00
|
|
|
~~~
|
2018-01-23 16:52:42 +01:00
|
|
|
|
2022-03-22 18:01:22 +01:00
|
|
|
Show version :
|
2018-01-23 16:52:42 +01:00
|
|
|
|
2018-12-26 14:07:22 -05:00
|
|
|
~~~
|
2022-03-22 18:11:17 +01:00
|
|
|
shellpki version
|
2018-12-26 14:07:22 -05:00
|
|
|
~~~
|
2018-01-23 16:52:42 +01:00
|
|
|
|
2022-03-22 18:01:22 +01:00
|
|
|
Show help :
|
2018-01-23 16:52:42 +01:00
|
|
|
|
2018-12-26 14:07:22 -05:00
|
|
|
~~~
|
2022-03-22 18:11:17 +01:00
|
|
|
shellpki help
|
2018-01-17 12:21:39 +01:00
|
|
|
~~~
|
2018-01-17 12:32:21 +01:00
|
|
|
|
2022-08-09 15:48:20 +02:00
|
|
|
## Loop
|
|
|
|
|
|
|
|
We can loop over a file to revoke or create many certificates at once.
|
|
|
|
|
|
|
|
To revoke :
|
|
|
|
|
|
|
|
~~~
|
|
|
|
$ read CA_PASS
|
|
|
|
$ for cert_name in $(cat /path/to/file_certs_to_revoke); do CA_PASSWORD=$CA_PASS shellpki revoke $cert_name --non-interactive ; done
|
|
|
|
~~~
|
|
|
|
|
|
|
|
To create (without `--replace-existing`) or renew (with `--replace-existing`), with a password on the client key :
|
|
|
|
|
|
|
|
~~~
|
|
|
|
$ read CA_PASS
|
|
|
|
$ for cert_name in $(cat /path/to/file_certs_to_create); do apg -n 1 -m 16 -M lcN > /path/to/folder/to/store/${cert_name}.passwd; CA_PASSWORD=$CA_PASS shellpki create --replace-existing --non-interactive --password-file /path/to/folder/to/store/${cert_name}.passwd ${cert_name}; done
|
|
|
|
~~~
|
|
|
|
|
2018-01-17 12:32:21 +01:00
|
|
|
## License
|
|
|
|
|
2018-12-26 14:07:22 -05:00
|
|
|
ShellPKI is an [Evolix](https://evolix.com) project and is licensed
|
|
|
|
under the [MIT license](LICENSE).
|