Daniel Barlow
1a3e7918b2
|
||
|---|---|---|
| Makefile | ||
| README.md | ||
| default.nix | ||
| main.fnl | ||
| openssl.cnf | ||
| package.nix | ||
| shell.nix | ||
README.md
Certifix
Not an Asterix character. A small HTTP(S)[*] API that accepts X509
CSRs and signs them if they contain the magic number (specifically, if
they have a custom challengePassword attribute containing a
pre-agreed value)
Modelled on the Puppet CA "Policy-based autosigning" functionality, but without the rest of Puppet
What's it for? I have a bunch of small devices on my LAN that may or may not be able to retain persistent state across reboots. I would like them to be able to talk securely to a server using standard TLS with client authentication, and without having to rely on network firewall rules to prevent the rest of the world also talking to the service.
[*] it will do S, but as of writing this footnote it doesn't yet
To try it out
This is experiment-quality code that I have published mostly so that it does't die with my laptop. Some day it will be grown-up but in the meantime try it at your own risk - or even better, don't try it
It's written in Fennel. To build it either use Nix or read package.nix and figure out how to replicate the steps manually. Note that it requires a patch to the luaossl module
# pick a PSK
echo 'urban cookie collective' > psk
chmod 0700 psk
# create CA key and cert
openssl genrsa -out ca.key 4096
CN=CA openssl req -config openssl.cnf -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
# create client CSR
CN=rotuer openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr
# start the server
bin/certifix
# send it
curl -v -H 'content-type: application/x-pem-file' --data-binary @client.csr http://localhost:8201/sign