dan
/
certifix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
18 Commits 1 Branch 0 Tags 92 KiB
Fennel 76.7%
Nix 21.9%
Makefile 1.4%
Go to file
Daniel Barlow e4410323cf add error handler 2024-09-27 19:47:31 +01:00
Makefile initial commit 2024-09-25 10:20:14 +01:00
README.md use https 2024-09-27 19:47:11 +01:00
default.nix initial commit 2024-09-25 10:20:14 +01:00
main.fnl add error handler 2024-09-27 19:47:31 +01:00
openssl.cnf improve README 2024-09-25 12:07:30 +01:00
package.nix implement policy-based signing 2024-09-25 21:14:13 +01:00
shell.nix add openssl in shell environment 2024-09-25 21:17:42 +01:00

README.md

Certifix

Not an Asterix character. A small HTTP(S)[*] API that accepts X509 CSRs and signs them if they contain the magic number (specifically, if they have a custom challengePassword attribute containing a pre-agreed value)

Modelled on the Puppet CA "Policy-based autosigning" functionality, but without the rest of Puppet

What's it for? I have a bunch of small devices on my LAN that may or may not be able to retain persistent state across reboots. I would like them to be able to talk securely to a server using standard TLS with client authentication, and without having to rely on network firewall rules to prevent the rest of the world also talking to the service.

[*] it will do S, but as of writing this footnote it doesn't yet

To try it out

This is experiment-quality code that I have published mostly so that it does't die with my laptop. Some day it will be grown-up but in the meantime try it at your own risk - or even better, don't try it

It's written in Fennel. To build it either use Nix or read package.nix and figure out how to replicate the steps manually. Note that it requires a patch to the luaossl module

# pick a PSK
echo 'loves labours lost' > psk
chmod 0700 psk

# create CA key and cert used for signing
openssl genrsa -out ca.key 4096
CN=CA openssl req -config openssl.cnf -x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt

# create key for the server and sign it with the CA 
CN=localhost openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout server.key --out server.csr
openssl x509 -req -in server.csr -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

# create example client CSR for testing (check openssl.cnf against "psk" file)
CN=rotuer openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr

# build and start the server
nix-build && result/bin/certifix  --challenge-password psk  --certificate ca.crt --private-key ca.key localhost:19613

# send it
curl -v -H 'content-type: application/x-pem-file' --data-binary @client.csr  https://localhost:19613/sign

Background