Digital Mages - micro-ca(1)

micro-ca

Section: micro-ca (1)
Updated: 2016/09/19
Index

NAME

micro-ca - Microscopic Certificate Authority

VERSION

$Id: doc/micro-ca.pod, 2.1 2016/09/19 12:58:52 acorliss Exp $

USAGE

  make CertName={cn} [variables] {cmd}

  # Generate a new CRL
  make gen-crl

  # Generate a private key
  make CertName=foo.com gen-key

  # Generate an encrypted private key
  make CertName=foo.com EncryptKey=yes gen-key

  # Generate a commonName CSR
  make CertName=foo.com gen-csr

  # Generate a subjectAltName CSR
  make CertName=foo.com SubjectAltName=yes gen-csr

  # Sign a Server CSR
  make CertName=foo.com sign-server-csr

  # Sign a Client CSR
  make CertName=foo.com sign-client-csr

  # The following will generate a key, CSR, and sign it, 
  # using all the options (assuming none of the above steps
  # have been taken yet)
  make CertName=foo.com EncryptKey=yes \
    SubjectAltName=yes sign-server-csr

  # Revoke a certificate
  make CertName=foo.com revoke-cert

  # View the CA history
  make history | less

  # View a list of all certs associated with a CN
  make CertName=foo.com view-cert

  # View a specific certficate
  make CertName=foo.com Serial=AFB930FA82 view-cert

DESCRIPTION

micro-ca is a certificate authority aimed at internal corporate or private use. To those ends this provides the most basic of CA functionality, notably:

*: simplified generation and management of keys, signing requests, and certificates,
*: generation of the root CA certificate to authenticate the above, and,
*: generation of certificate revocation lists

Flexibility is built into the system to allow for both encrypted and unencrypted keys, including with the selection of the encryption algorithm. The generation and conversion of keys, CSRs, and certificates in both DER and PEM formats. Finally, CSRs and certificates based on the normal common names as well as multiple hostnames via subjectAltNames.

It should be noted that micro-ca is not a command in itself, but rather a Makefile and some OpenSSL configuration templates. This allows the CA to be maintained on any system with a standard UNIX shell environment and the openssl(1) & make(1) commands. Writing a front-end would really only be so much syntactic sugar with no really useful functionality added.

FILE SYSTEM LAYOUT AND CONVENTIONS

The CA for this installation is called my-ca and is installed in /usr/local/etc/my-ca. Within this directory the following subdirectories can be found:

  ./db/         contains files necessary for managing the CA
  ./private/    contains the CA's encrypted key
  ./certs/      contains all the signed certificates
  ./generated/  contains all generated keys, CSRs, and certs

After your first CA command you should also have the following files:

  ./Makefile        Makefile for operating CA
  ./my-ca.crl  my-ca's Certificate Revocation List
  ./my-ca.csr  my-ca's Root CA CSR (self-signed)
  ./my-ca.pem  my-ca's Root CA Certificate (PEM)
  ./my-ca.der  my-ca's Root CA Certificate (DER)

Most of the files you will be working with will be in the ./generated subdirectory, and all of those can be generated automatically. In the event that you need to import a file there (if, for example, having to sign a CSR which was generated elsewhere) the following naming conventions apply:

  ./generated/{FORMAT}/{CN}.cnf
  ./generated/{FORMAT}/{CN}.csr
  ./generated/{FORMAT}/{CN}.key
  ./generated/{FORMAT}/{CN}.crt

{CN}, of course, will be substituted for the CN associated with the given certificate. {FORMAT} is either PEM or DER. Both formats are generated for each operation.

NON-CERTIFICATE COMMANDS

gen-crl

  make gen-crl

Generates a new Certificate Revocation List.

history

  make history

Display CA activity log.

CERTIFICATE COMMANDS

gen-key

  make CertName={commonName} gen-key

This command generates a new private key for use with CSRs and certificates. If you wish to encrypt the private key you must include the EncryptKey variable. You can control encryption options with KeyCrypt and KeySize if you don't wish to go with the defaults:

  make CertName=foo.com EncryptKey=yes KeyCrypt=idea \
    KeySize=4096 gen-key

The default settings can be found at the top of the makefile.

gen-csr

  make CertName={commonName} gen-csr

This command generates a Certificate Signing Request. It will generate a key on demand if you haven't already. You can select between the default commonName certificate and a subjectAltName certificate by defining the SubjectAltName make variable:

  make CertName={commonName} SubjectAltName=yes gen-csr

view-csr

  make CertName={commonName} view-csr

This command displays the details of the signing request. If you're working off of a third-party CSR provided in DER format you'd add the Format variable.

sign-server-csr

  make CertName={commonName} sign-server-csr

This command signs a CSR placed in ./generated/{FORMAT}/ and named appropriately. While this CA works by default off of PEM certificates you can easily sign a third-party DER certificate as so:

  cp test.foo.com.csr generated/DER/test.foo.com.csr
  make CertName={commonName} Format=DER sign-server-csr

micro-ca(1) provides two default certificate policies used when signing certificates, one for generic server certifcates, and one for clients. Both are defined in ./db/openssl.cnf. If you wish to add additional custom policies you can do so, and select them for use while signing via the SSLPolicy variable:

  make CertName={commonName} SSLPolicy=custom_ext sign-server-csr

sign-client-csr

  make CertName={commonName} sign-client-csr

The rules for signing client certificates is exactly the same as for server certificates. This merely selects a different SSL policy automatically.

revoke-cert

  make CertName={commonName} revoke-cert

This updates the certificate revocation list, but does not generate a newly signed CRL. To do that you'll need to use the gen-crl command as needed.

view-cert

  make CertName={commonName} view-cert
  make CertName={commonName} Serial=A9B372FE0D view-cert

This command will display the details of any certificate issued by the CA. Passing only the CertName will provide a list of serial numbers and subjects of all the certs that use that CN. Adding a Serial will display the full details of that certificate.

OPTIONS

The following make(1) variables are optional:

  Variable      Default  Purpose
  -------------------------------------------------------
  Format        PEM      File format of source files
  KeySize       2048     Key size to use for the cert
  KeyCrypt      des3     Algorithm to use for encrypting 
                         private keys
  Days          730      Length of certificate validity
  Editor        vi       Editor to use for editing CSR 
                         organization information
  MDHash        sha256   Message Digest Hash algorithm 
                         to use for signing

Defaults can be changed by editing the top of the Makefile in /usr/local/etc/my-ca.

For a full list of options for each command you should consult the openssl(1) man pages.

DIAGNOSTICS

The standard output of make is provided as-is. Hopefully it will be intelligible and obvious enough as to what, if any, problems arose. Exit codes, as always, are a reliable indicator.

EXIT STATUS

  0    Success
  1    Failure

CONFIGURATION

Default CA options are stored in /usr/local/etc/my-ca/Makefile. OpenSSL options are stored in /usr/local/etc/my-ca/db/openssl.cnf. CSR templates are stored in /usr/local/etc/my-ca/db/openssl-*.cnf.

BUGS AND LIMITATIONS

Given that this is meant for internal use I haven't added any support for OCSP, but it should be fairly trivial to add them to the OpenSSL configuration.

Because the intended usage is intended for low volume certificate management no provisions have been made for batch processing. Because of the use of passphrase on the CA key you may want to create an expect script to add batch processing support.