Shellpki is a very tiny and easy PKI in command lines.

Go to file

Jérémy Dubois 4a2e5c93f1 Update README file and show_usage function		2022-03-22 18:01:22 +01:00
.gitignore	Add .swp file to gitignore	2018-10-24 15:20:29 +02:00
cert-expirations.sh	cert-expirations.sh: search for valid certificates in the index file rather than in a directory where files could be deleted with the certificates still being valids	2022-02-18 11:45:12 +01:00
CHANGELOG.md	update changelog	2020-09-07 09:49:53 +02:00
cn-filter.sh	Use logger for cn-filter	2018-03-01 16:24:27 +01:00
cn-validation.sh	New script cn-validation.sh for OpenVPN	2021-06-14 14:30:34 +02:00
LICENSE	Shellpki is now MIT licensed	2018-12-26 14:17:45 +01:00
ocspd.service	Add a delay for auto restart in systemd service	2018-06-27 19:04:59 +02:00
openssl.cnf	Add an OCSPD responder	2018-06-27 13:48:12 +02:00
ovpn.conf.example	Change ovpn example file to match the openvpn ansible role and wiki	2022-03-14 10:55:28 +01:00
README.md	Update README file and show_usage function	2022-03-22 18:01:22 +01:00
shellpki	Update README file and show_usage function	2022-03-22 18:01:22 +01:00
Vagrantfile	Don't force Vagrant::DEFAULT_SERVER_URL (doesn't work with recent Vagrant version)	2020-02-10 15:12:30 +01:00

README.md

ShellPKI

This script is a wrapper around OpenSSL to manage a small PKI.

Install

Debian

useradd shellpki --system -M --home-dir /etc/shellpki --shell /usr/sbin/nologin
mkdir /etc/shellpki
install -m 0640 openssl.cnf /etc/shellpki/
install -m 0755 shellpki /usr/local/sbin/shellpki
chown -R shellpki: /etc/shellpki

# visudo -f /etc/sudoers.d/shellpki
%shellpki ALL = (root) /usr/local/sbin/shellpki

OpenBSD

useradd -r 1..1000 -d /etc/shellpki -s /sbin/nologin _shellpki
mkdir /etc/shellpki
install -m 0640 openssl.cnf /etc/shellpki/
install -m 0755 shellpki /usr/local/sbin/shellpki
chown -R _shellpki:_shellpki /etc/shellpki

# visudo -f /etc/sudoers
%_shellpki ALL = (root) /usr/local/sbin/shellpki

OpenVPN

If you want auto-generation of the OpenVPN config file in /etc/shellpki/openvpn, you need to create a template file in /etc/shellpki/ovpn.conf, eg. :

client
dev tun
tls-client
proto udp

remote ovpn.example.com 1194

nobind
user nobody
group nogroup
persist-key
persist-tun

cipher AES-256-GCM

Usage

Usage: shellpki <subcommand> [options] [CommonName]

Initialize PKI (create CA key and self-signed cert) :

    shellpki init <commonName_for_CA>

    Options
        --non-interactive           do not prompt the user, and exit if an error occurs

Create a client cert with key and CSR directly generated on server :

    shellpki create <commonName>

    Options
        -f, --file, --csr-file      create a client cert from a CSR (doesn't need key)
        -p, --password              prompt the user for a password to set on the client key
            --password-file         if provided with a path to a readable file, the first line is read and set as password on the client key
            --days                  specify how many days the certificate should be valid
            --end-date              specify until which date the certificate should be valid, in MM/DD/[YY]YY [hh:mm:ss] format
            --non-interactive       do not prompt the user, and exit if an error occurs
            --replace-existing      if the certificate already exists, revoke it before creating a new one

Revoke a client cert :

    shellpki revoke <commonName>

    Options
        --non-interactive           do not prompt the user, and exit if an error occurs

List all certificates :

    shellpki list <options>

    Options
        -a, --all
        -v, --valid
        -r, --revoked

Check expiration date of valid certificates :

    shellpki check

Run OCSP_D server :

    shellpki ocsp <ocsp_uri:ocsp_port>

Show version :

    shellpki version

Show help :

    shellpki help

License

ShellPKI is an Evolix project and is licensed under the MIT license.