26 lines
1021 B
Plaintext
26 lines
1021 B
Plaintext
|
A small HTTPS API that accepts X509 CSRs and signs them if they
|
|||
|
|
contain the magic number.
|
|||
|
|
|
|||
|
|
Modelled on the Puppet CA "Policy-based autosigning" functionality,
|
|||
|
|
but without the rest of Puppet
|
|||
|
|
|
|||
|
|
[ This README is speculative ]
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
DOMAIN="/C=GB/ST=London/L=London/O=Telent"
|
|||
|
|
|
|||
|
|
openssl genrsa -out ca.key 4096
|
|||
|
|
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -subj "${DOMAIN}/CN=CA" -out ca.crt
|
|||
|
|
|
|||
|
|
openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr -subj "${DOMAIN}/OU=devices/CN=rotuer"
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
https://www.puppet.com/docs/puppet/7/ssl_attributes_extensions#csr_custom_attributes-recommended-oids-custom-attributes
|
|||
|
|
|
|||
|
|
Custom attributes can use any public or site-specific OID, with the exception of the OIDs used for core X.509 functionality. This means you can’t re-use existing OIDs for things like subject alternative names.
|
|||
|
|
|
|||
|
|
One useful OID is the challengePassword attribute — 1.2.840.113549.1.9.7. This is a rarely-used corner of X.509 that can easily be repurposed to hold a pre-shared key.
|