Shellpki is a very tiny and easy PKI in command lines.
Go to file
Jérémy Dubois 9deb73b548 cert-expirations.sh => certificates names can contain "@" in it 2020-11-06 10:53:00 +01:00
.gitignore Add .swp file to gitignore 2018-10-24 15:20:29 +02:00
CHANGELOG.md update changelog 2020-09-07 09:49:53 +02:00
LICENSE Shellpki is now MIT licensed 2018-12-26 14:17:45 +01:00
README.md Strip .sh extension from shellpki script 2019-03-06 13:42:18 +01:00
Vagrantfile Don't force Vagrant::DEFAULT_SERVER_URL (doesn't work with recent Vagrant version) 2020-02-10 15:12:30 +01:00
cert-expirations.sh cert-expirations.sh => certificates names can contain "@" in it 2020-11-06 10:53:00 +01:00
cn-filter.sh Use logger for cn-filter 2018-03-01 16:24:27 +01:00
ocspd.service Add a delay for auto restart in systemd service 2018-06-27 19:04:59 +02:00
openssl.cnf Add an OCSPD responder 2018-06-27 13:48:12 +02:00
shellpki list: better options parsing 2020-10-12 23:49:51 +02:00

README.md

ShellPKI

This script is a wrapper around OpenSSL to manage a small PKI.

Install

Debian

useradd shellpki --system -M --home-dir /etc/shellpki --shell /usr/sbin/nologin
mkdir /etc/shellpki
install -m 0640 openssl.cnf /etc/shellpki/
install -m 0755 shellpki /usr/local/sbin/shellpki
chown -R shellpki: /etc/shellpki
# visudo -f /etc/sudoers.d/shellpki
%shellpki ALL = (root) /usr/local/sbin/shellpki

OpenBSD

useradd -r 1..1000 -d /etc/shellpki -s /sbin/nologin _shellpki
mkdir /etc/shellpki
install -m 0640 openssl.cnf /etc/shellpki/
install -m 0755 shellpki /usr/local/sbin/shellpki
chown -R _shellpki:_shellpki /etc/shellpki
# visudo -f /etc/sudoers
%_shellpki ALL = (root) /usr/local/sbin/shellpki

OpenVPN

If you want auto-generation of the OpenVPN config file in /etc/shellpki/openvpn, you need to create a template file in /etc/shellpki/ovpn.conf, eg. :

client
dev tun
tls-client
proto udp

remote ovpn.example.com 1194

persist-key
persist-tun

cipher AES-256-CBC

Usage

Usage: ./shellpki <subcommand> [options] [CommonName]

Initialize PKI (create CA key and self-signed cert) :

   ./shellpki init <commonName_for_CA>

Create a client cert with key and CSR directly generated on server (use -p for set a password on client key) :

    ./shellpki create [-p] <commonName>

Create a client cert from a CSR (doesn't need key) :

    ./shellpki create -f <path>

Revoke a client cert with is commonName (CN) :

    ./shellpki revoke <commonName>

List all actually valid commonName (CN) :

    ./shellpki list

License

ShellPKI is an Evolix project and is licensed under the MIT license.