certifix/README

A small HTTPS API that accepts X509 CSRs and signs them if they
contain the magic number.

Modelled on the Puppet CA "Policy-based autosigning" functionality,
but without the rest of Puppet

[ This README is speculative ]


## Try it out

```
# create CA key and cert
openssl genrsa -out ca.key 4096  
CN=CA openssl req -config openssl.cnf -x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt

# create client CSR
CN=rotuer openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr 

# start the server
bin/certifix

# send it

curl -v -H 'content-type: application/x-pem-file' --data-binary @client.csr  http://localhost:8201/sign
```


https://www.puppet.com/docs/puppet/7/ssl_attributes_extensions#csr_custom_attributes-recommended-oids-custom-attributes

Custom attributes can use any public or site-specific OID, with the exception of the OIDs used for core X.509 functionality. This means you can’t re-use existing OIDs for things like subject alternative names.

One useful OID is the challengePassword attribute — 1.2.840.113549.1.9.7. This is a rarely-used corner of X.509 that can easily be repurposed to hold a pre-shared key.
-												initial commit

											
										
										
											2024-09-25 09:20:14 +00:00
+								A small HTTPS API that accepts X509 CSRs and signs them if they
 								contain the magic number.
 								Modelled on the Puppet CA "Policy-based autosigning" functionality,
 								but without the rest of Puppet
 								[ This README is speculative ]
-												improve README

											
										
										
											2024-09-25 11:01:21 +00:00
+								## Try it out
-												initial commit

											
										
										
											2024-09-25 09:20:14 +00:00
-												improve README

											
										
										
											2024-09-25 11:01:21 +00:00
+								```
 								# create CA key and cert
 								openssl genrsa -out ca.key 4096
 								CN=CA openssl req -config openssl.cnf -x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt
-												initial commit

											
										
										
											2024-09-25 09:20:14 +00:00
-												improve README

											
										
										
											2024-09-25 11:01:21 +00:00
+								# create client CSR
 								CN=rotuer openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr
-												initial commit

											
										
										
											2024-09-25 09:20:14 +00:00
-												improve README

											
										
										
											2024-09-25 11:01:21 +00:00
+								# start the server
 								bin/certifix
-												initial commit

											
										
										
											2024-09-25 09:20:14 +00:00
-												improve README

											
										
										
											2024-09-25 11:01:21 +00:00
+								# send it
-												initial commit

											
										
										
											2024-09-25 09:20:14 +00:00
-												improve README

											
										
										
											2024-09-25 11:01:21 +00:00
+								curl -v -H 'content-type: application/x-pem-file' --data-binary @client.csr  http://localhost:8201/sign
 								```
-												initial commit

											
										
										
											2024-09-25 09:20:14 +00:00
 								https://www.puppet.com/docs/puppet/7/ssl_attributes_extensions#csr_custom_attributes-recommended-oids-custom-attributes
 								Custom attributes can use any public or site-specific OID, with the exception of the OIDs used for core X.509 functionality. This means you can’t re-use existing OIDs for things like subject alternative names.
 								One useful OID is the challengePassword attribute — 1.2.840.113549.1.9.7. This is a rarely-used corner of X.509 that can easily be repurposed to hold a pre-shared key.