Shellpki is a very tiny and easy PKI in command lines.
Go to file
Jérémy Dubois 42de07cb66 Add version to files that will be copied out of this repo so that we easily know if they will need an update 2022-04-14 16:21:38 +02:00
.gitignore Add .swp file to gitignore 2018-10-24 15:20:29 +02:00
CHANGELOG.md update changelog 2020-09-07 09:49:53 +02:00
LICENSE Shellpki is now MIT licensed 2018-12-26 14:17:45 +01:00
README.md Precising that the --end-date hour is in UTC +0 2022-04-14 15:53:59 +02:00
Vagrantfile Don't force Vagrant::DEFAULT_SERVER_URL (doesn't work with recent Vagrant version) 2020-02-10 15:12:30 +01:00
cert-expirations.sh Add version to files that will be copied out of this repo so that we easily know if they will need an update 2022-04-14 16:21:38 +02:00
cn-filter.sh Use logger for cn-filter 2018-03-01 16:24:27 +01:00
cn-validation.sh New script cn-validation.sh for OpenVPN 2021-06-14 14:30:34 +02:00
ocspd.service Add a delay for auto restart in systemd service 2018-06-27 19:04:59 +02:00
openssl.cnf Add version to files that will be copied out of this repo so that we easily know if they will need an update 2022-04-14 16:21:38 +02:00
shellpki Precising that the --end-date hour is in UTC +0 2022-04-14 15:53:59 +02:00

README.md

ShellPKI

This script is a wrapper around OpenSSL to manage a small PKI.

Install

Debian

useradd shellpki --system -M --home-dir /etc/shellpki --shell /usr/sbin/nologin
mkdir /etc/shellpki
install -m 0640 openssl.cnf /etc/shellpki/
install -m 0755 shellpki /usr/local/sbin/shellpki
chown -R shellpki: /etc/shellpki
# visudo -f /etc/sudoers.d/shellpki
%shellpki ALL = (root) /usr/local/sbin/shellpki

OpenBSD

useradd -r 1..1000 -d /etc/shellpki -s /sbin/nologin _shellpki
mkdir /etc/shellpki
install -m 0640 openssl.cnf /etc/shellpki/
install -m 0755 shellpki /usr/local/sbin/shellpki
chown -R _shellpki:_shellpki /etc/shellpki
# visudo -f /etc/sudoers
%_shellpki ALL = (root) /usr/local/sbin/shellpki

OpenVPN

If you want auto-generation of the OpenVPN config file in /etc/shellpki/openvpn, you need to create a template file in /etc/shellpki/ovpn.conf, eg. :

client
dev tun
tls-client
proto udp

remote ovpn.example.com 1194

nobind
user nobody
group nogroup
persist-key
persist-tun

cipher AES-256-GCM

Usage

Usage: shellpki <subcommand> [options] [CommonName]

Initialize PKI (create CA key and self-signed certificate) :

shellpki init [options] <commonName_for_CA>

Options
    --non-interactive           do not prompt the user, and exit if an error occurs

Create a client certificate with key and CSR directly generated on server :

shellpki create [options] <commonName>

Options
    -f, --file, --csr-file      create a client certificate from a CSR (doesn't need key)
    -p, --password              prompt the user for a password to set on the client key
        --password-file         if provided with a path to a readable file, the first line is read and set as password on the client key
        --days                  specify how many days the certificate should be valid
        --end-date              specify until which date the certificate should be valid, in YYYY/MM/DD hh:mm:ss format, UTC +0
        --non-interactive       do not prompt the user, and exit if an error occurs
        --replace-existing      if the certificate already exists, revoke it before creating a new one

Revoke a client certificate :

shellpki revoke [options] <commonName>

Options
    --non-interactive           do not prompt the user, and exit if an error occurs

List all certificates :

shellpki list <options>

Options
    -a, --all                   list all certificates : valid and revoked ones
    -v, --valid                 list all valid certificates
    -r, --revoked               list all revoked certificates

Check expiration date of valid certificates :

shellpki check

Run OCSP_D server :

shellpki ocsp <ocsp_uri:ocsp_port>

Show version :

shellpki version

Show help :

shellpki help

License

ShellPKI is an Evolix project and is licensed under the MIT license.