openxpki / clca Goto Github PK

View Code? Open in Web Editor NEW

29.0 9.0 17.0 192 KB

Command line CA, including bootable Root CA medium and Secret Sharing

License: GNU General Public License v2.0

Shell 57.56% Perl 42.44%

pki command-line offline-root root-ca bootable secret-sharing

clca's Introduction

OpenXPKI Trustcenter Software

A software stack based on perl and openssl to run a PKI/trustcenter with an enterprise-grade feature set.

core features

WebUI compatible with all major browsers
Ready-to-run example config as public git repo (openxpki/openxpki-config)
File-based configuration (eases versioning, staged deployment and change control)
Support for SCEP (Simple Certificate Enrollment Protocol) and EST
Easy adjustment of workflows to personal needs
Run multiple separate CAs with a single installation
automated rollover of CA generations
Can use Hardware Security Modules (e. g. Thales HSMs) for crypto operations
Issue certificates with public trusted CAs (e. g. SwissSign, Comodo, VeriSign)
Based on OpenSSL and Perl, runs on most *nix platforms
100% Open Source, commercial support available

Release

There is no planned release schedule, we make new releases after fixing relevant bugs or adding new features.

Stable Releases

With release 3.2/3.3 we started to have two active release lines: A new stable release, which is fully tested and will upgrade seamlessly within the same major version (see https://semver.org/), gets a minor version with even number (3.2.0). Updates to this release will be done only for critical bugs, such releases will be announced on the openxpki-users mailing lists.

Packages for Debian are provided via our package mirror, prebuild docker images are available via Dockerhub (whiterabbitsecurity/openxpki3).

Packages for SLES, RHEL, Ubuntu are available via subscription plans.

Development Releases

Development releases will be tagged with an odd number (3.3.x), those releases should not be used in production. Packages might be published for such releases, the corresponding docker image is named (whiterabbitsecurity/openxpki3dev).

Getting Started

A public demo is available at http://demo.openxpki.org/.

To run OpenXPKI yourself get a Debian box (Current release is v3 for Buster) ready and download the packages from the package mirror. The packages come with a full-featured sample config and a sample setup script - this gets your PKI up in less than 5 minutes! Just follow our Quickstart Instructions.

There is also a ready-to-use docker image whiterabbitsecurity/openxpki3, see https://github.com/openxpki/openxpki-docker.

Support / Issue Tracker

Check out the documentation on readthedocs. There is also a complete quickstart manual.

Please use the projects mailing lists to get support. Please do NOT use the github issue tracker for general support and ask on the list before filing an issue. If you file an issue, add sufficient information to reproduce the problem.

Contributing

Contributions are always welcome. Please fork and make a pull request against the development branch. Please also add you name to the AUTHORS file (which implies that you agree with the contributors license agreement).

License

Apache License 2.0, also see LICENSE

clca's People

Contributors

Stargazers

Watchers

Forkers

mbartosch aleibl rad1us gknocke mrscotty 06094051 stackscale doccyblade arraiz bartzjegr lichnak mr-craps pcwork ndgit marcposch devangradadiya celsomiranda

clca's Issues

Issue with PR7

You may want to reverse pull PR7 (#7) I say this because I was experimenting more with the build and with out the xterm& it does not show a window on first boot. I think it is because I was using a persistent drive. For some reason the two builds I have are showing double windows, but I just built another with out the xterm & and I get no window.

I'll keep working on it and track down the cause of the double window. I'll report back on this thread. I'll issue another PR to put xterm back if you want, or you can change it back your self. Just let me know.

-Ken

please consider documenting use of Nitrokey HSM2

clca seems mature and not updated

please consider including Readme information on use of the Nitrokey HSM2

https://docs.nitrokey.com/hsm/faq

startdate and enddate do not work with initialize

steps to reproduce:
clca latest version, default config, generate key and run ../bin/clca initialize --startdate 210809 --enddate 410809
error:
/bin/mv: cannot stat '/home/user/clca/testca1/certs/61A894CA414F7CD6137310F05109C1E12B4D80DB.pem': No such file or directory Can't open /home/user/clca/testca1/ca/cacert.pem for reading, No such file or directory 139736122066752:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/home/user/clca/testca1/ca/cacert.pem','r') 139736122066752:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76: unable to load certificate Could not convert certificate to DER (should not happen). CA root certificate contents: Can't open /home/user/clca/testca1/ca/cacert.pem for reading, No such file or directory 139682468243264:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/home/user/clca/testca1/ca/cacert.pem','r') 139682468243264:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76: unable to load certificate
Seems that version 1.11 is not affected

Replacing shared secret?

If key is shared 3 of 5 and 3 shareholders are present, is it then possible to redo the sharing without changing the key?

Some way to remove old shareholders and introduce new ones seems needed for long-lasting keys like a CA root key with 20 year lifespan.

Simple keyceremony file outdated

The simple keyceremony file on line 30 instructs to create a file named rsa-rootkey, but when clca initialize is called it fails because it is looking for cakey.pem file.

PASSPHRASE="1234" openssl genrsa -aes256 -passout env:PASSPHRASE -out dummyca/private/rsa-rootkey 2048

Also a little more elaboration on creating level2 certificate and key (step ?5? not sure because there are two steps marked step 4. bot no indication if it is supposed to be an OR situation) to be deployed on XPKI would be appreciated.

Initialize using "domainComponent" reverses DN

Using clca initialize:

openssl.cnf

0.domainComponent = Top
1.domainComponent = Middle
commonName = Root CA 1

Creates this certificate

Issuer: DC=Top, DC=Middle CN=Root CA 1
Subject: CN=Root CA 1, DC=Top, DC=Middle

inform about need to install lsb-release package OR
install lsb-release automatically via apt.

Enter passphrase:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.

It appears that the warning is emitted from the process of caching the passphrase.

One way to fix it, is to add -pbkdf2 to the openssl enc command, as suggested by it.

On line 98:

        ENCRYPTED_PASSPHRASE=`echo "$CLEARTEXT_PASSPHRASE" | $OPENSSL enc -aes256 -pbkdf2 -a -e -pass env:CLCA_SESSION_KEY`

And line 110:

        PASSPHRASE=`echo "$ENCRYPTED_PASSPHRASE" | $OPENSSL enc -aes256 -pbkdf2 -a -d -pass env:CLCA_SESSION_KEY`

Thanks for this helpful tool!