# Certifix Not an Asterix character. A small HTTP(S)[*] API that accepts X509 CSRs and signs them if they contain the magic number (specifically, if they have a custom `challengePassword` attribute containing a pre-agreed value) Modelled on the Puppet CA "Policy-based autosigning" functionality, but without the rest of Puppet What's it for? I have a bunch of small devices on my LAN that may or may not be able to retain persistent state across reboots. I would like them to be able to talk securely to a server using standard TLS with client authentication, and without having to rely on network firewall rules to prevent the rest of the world also talking to the service. [*] it will do S, but as of writing this footnote it doesn't yet ## To try it out _This is experiment-quality code that I have published mostly so that it does't die with my laptop. Some day it will be grown-up but in the meantime try it at your own risk - or even better, don't try it_ It's written in [Fennel](https://www.fennel-lang.org). To build it either use Nix or read [package.nix](package.nix) and figure out how to replicate the steps manually. Note that it requires a patch to the luaossl module ``` # pick a PSK echo 'loves labours lost' > psk chmod 0700 psk # create CA key and cert used for signing openssl genrsa -out ca.key 4096 CN=CA openssl req -config openssl.cnf -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt # create key for the server and sign it with the CA CN=localhost openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout server.key --out server.csr openssl x509 -req -in server.csr -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt # create example client CSR for testing (check openssl.cnf against "psk" file) CN=rotuer openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr # build and start the server nix-build && result/bin/certifix --challenge-password psk --certificate ca.crt --private-key ca.key localhost:19613 # send it curl -v -H 'content-type: application/x-pem-file' --data-binary @client.csr https://localhost:19613/sign ``` ## Background * [how Puppet does it](https://www.puppet.com/docs/puppet/7/ssl_attributes_extensions#csr_custom_attributes-recommended-oids-custom-attributes) * [RFC 5967 - spec for a CSR](https://datatracker.ietf.org/doc/html/rfc5967)