99 lines
1.8 KiB
Markdown
99 lines
1.8 KiB
Markdown
# ShellPKI
|
|
|
|
This script is a wrapper around OpenSSL to manage a small
|
|
[PKI](https://en.wikipedia.org/wiki/Public_key_infrastructure).
|
|
|
|
## Install
|
|
|
|
### Debian
|
|
|
|
~~~
|
|
useradd shellpki --system -M --home-dir /etc/shellpki --shell /usr/sbin/nologin
|
|
mkdir /etc/shellpki
|
|
install -m 0640 openssl.cnf /etc/shellpki/
|
|
install -m 0755 shellpki /usr/local/sbin/shellpki
|
|
chown -R shellpki: /etc/shellpki
|
|
~~~
|
|
|
|
~~~
|
|
# visudo -f /etc/sudoers.d/shellpki
|
|
%shellpki ALL = (root) /usr/local/sbin/shellpki
|
|
~~~
|
|
|
|
### OpenBSD
|
|
|
|
~~~
|
|
useradd -r 1..1000 -d /etc/shellpki -s /sbin/nologin _shellpki
|
|
mkdir /etc/shellpki
|
|
install -m 0640 openssl.cnf /etc/shellpki/
|
|
install -m 0755 shellpki /usr/local/sbin/shellpki
|
|
chown -R _shellpki:_shellpki /etc/shellpki
|
|
~~~
|
|
|
|
~~~
|
|
# visudo -f /etc/sudoers
|
|
%_shellpki ALL = (root) /usr/local/sbin/shellpki
|
|
~~~
|
|
|
|
## OpenVPN
|
|
|
|
If you want auto-generation of the OpenVPN config file in
|
|
/etc/shellpki/openvpn, you need to create a template file in
|
|
/etc/shellpki/ovpn.conf, eg. :
|
|
|
|
~~~
|
|
client
|
|
dev tun
|
|
tls-client
|
|
proto udp
|
|
|
|
remote ovpn.example.com 1194
|
|
|
|
persist-key
|
|
persist-tun
|
|
|
|
cipher AES-256-CBC
|
|
~~~
|
|
|
|
## Usage
|
|
|
|
~~~
|
|
Usage: ./shellpki <subcommand> [options] [CommonName]
|
|
~~~
|
|
|
|
Initialize PKI (create CA key and self-signed cert) :
|
|
|
|
~~~
|
|
./shellpki init <commonName_for_CA>
|
|
~~~
|
|
|
|
Create a client cert with key and CSR directly generated on server
|
|
(use -p for set a password on client key) :
|
|
|
|
~~~
|
|
./shellpki create [-p] <commonName>
|
|
~~~
|
|
|
|
Create a client cert from a CSR (doesn't need key) :
|
|
|
|
~~~
|
|
./shellpki create -f <path>
|
|
~~~
|
|
|
|
Revoke a client cert with is commonName (CN) :
|
|
|
|
~~~
|
|
./shellpki revoke <commonName>
|
|
~~~
|
|
|
|
List all actually valid commonName (CN) :
|
|
|
|
~~~
|
|
./shellpki list
|
|
~~~
|
|
|
|
## License
|
|
|
|
ShellPKI is an [Evolix](https://evolix.com) project and is licensed
|
|
under the [MIT license](LICENSE).
|