certifix

Go to file

Daniel Barlow 20fdd0aac6 add openssl in shell environment		2024-09-25 21:17:42 +01:00
Makefile	initial commit	2024-09-25 10:20:14 +01:00
README	improve README	2024-09-25 12:07:30 +01:00
default.nix	initial commit	2024-09-25 10:20:14 +01:00
main.fnl	implement policy-based signing	2024-09-25 21:14:13 +01:00
openssl.cnf	improve README	2024-09-25 12:07:30 +01:00
package.nix	implement policy-based signing	2024-09-25 21:14:13 +01:00
shell.nix	add openssl in shell environment	2024-09-25 21:17:42 +01:00

README

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

A small HTTPS API that accepts X509 CSRs and signs them if they
contain the magic number.

Modelled on the Puppet CA "Policy-based autosigning" functionality,
but without the rest of Puppet

[ This README is speculative ]


## Try it out

```
# create CA key and cert
openssl genrsa -out ca.key 4096  
CN=CA openssl req -config openssl.cnf -x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt

# create client CSR
CN=rotuer openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr 

# start the server
bin/certifix

# send it

curl -v -H 'content-type: application/x-pem-file' --data-binary @client.csr  http://localhost:8201/sign
```


https://www.puppet.com/docs/puppet/7/ssl_attributes_extensions#csr_custom_attributes-recommended-oids-custom-attributes

Custom attributes can use any public or site-specific OID, with the exception of the OIDs used for core X.509 functionality. This means you can’t re-use existing OIDs for things like subject alternative names.

One useful OID is the challengePassword attribute — 1.2.840.113549.1.9.7. This is a rarely-used corner of X.509 that can easily be repurposed to hold a pre-shared key.

README Unescape Escape

README