forked from openxpki/clca
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
211 lines (132 loc) · 5.98 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
CLCA command line CA script
Copyright (c) 2004 - 2013 Martin Bartosch, Cynops GmbH <[email protected]>
This software is distributed under the GNU General Public License - see the
accompanying LICENSE file for more details.
This is a collection of simple tools that allow for basic PKI
operations such as Sub CA certificate issuance (signing certificate
requests), certificate revocation and CRL issuance.
The script was originally designed to be used for a Root CA, but may
also be used for lower level CAs as well.
Private key operations can either be performed in software only
(via OpenSSL) or in software with private key operations on an
HSM. Currently only the nCipher nFast module is supported.
Please note that this script does not support concurrent use of
multiple sessions. Unpredictable behaviour must be expected if two
instances of the CA script are run concurrently.
Quick start: CA creation
========================
You can handle an arbitrary number of CA instances using this script.
* For each CA create a new top level directory and change into this
directory. Within this directory create an 'etc' directory and copy
the contents of the sample etc directory from the CLCA distribution.
* Modify CA configuration etc/clca.cfg to reflect your needs. Set
ENGINE as required for HSM or software CA support.
* Modify etc/openssl.cnf according to your CA policy and certificate
profile (see "Configuration")
* Create root key (see "Root key generation")
* Create self-signed CA certificate OR
* Create CA certificate request, export it to higher level CA and import
the certified CA certificate
Root key generation
===================
Only required for nCipher HSM support:
- Install nCipher module and software.
- Create a Security World
- Create an administrator card set
- Create an operator card set that protects your root key
- Create a root key using 'generatekey2 hwcrhk'
Only required for software CA support:
- create a 'private' directory in $CA_HOME
- adapt the RSA key name in clca.cfg
- run openssl genrsa -des3 $CA_HOME/private/<keyname>
Configuration
=============
- Edit etc/clca.cfg and etc/openssl.cnf to reflect your needs,
particularly certificate profile and other policy settings.
Please note that CA initialization takes care of setting the
proper paths in openssl.cnf, so no manual modification is
needed for this section.
Basic usage and getting help
============================
The CA system is contained in one single script (bin/ca). If
called without arguments it prints an overview on the supported
commands. In order to get online help about a certain command use
$ clca help <command>
PIN entry
=========
If a HSM is used the PIN entry is usually handled by a preload command
that calls OpenSSL in turn. Thus the configuration variable HSM_PRELOAD
must set to the appropriate executable that allows to open the HSM
for private key operations.
CA initialization
=================
Before the system an be used the CA must be created. This is necessary
only once.
For initial setup of a new CA the necessary steps are:
- Verify if the etc/clca.cfg and etc/openssl.cnf settings are OK.
- Run
$ clca initialize
The script performes several sanity checks and refuses to overwrite
an existing CA. If the CA certificates have been manually removed
from the ca/ directory the existing CA is automatically backed up
to the directory attic/ and a new CA is created.
Unless you are using a HSM you will be prompted to enter
the PINs protecting the CA private key during the creation of the CA.
Once a CA has been set up, be sure to backup the CA key and the
certificate database. If the key is lost no new certificates or CRLs
can be issued.
Signing certificate requests
============================
Call
$ clca certify <request file>
in order to certify a PKCS #10 request. The request format (DER/PEM)
is automatically detected.
The resulting certificate is placed in the certs/ directory. A copy
of the most current certificate is also written to newcert.pem in the
current working directory.
Revoking certificates
=====================
In order to revoke a certificate call
$ clca revoke <serial number>
This will identify the certificate in the certificate database (certs/
directory) and mark the certificate as revoked.
Listing certificates
====================
Calling
$ clca list <filter>
lists all certificates matching the specified filter. Filter may
be empty or either 'valid' or 'revoked'.
If no filter is specified, all certificates are printed to standard out,
Issuing CRLs
============
For creating a new CRL run
$ clca issue_crl
This will create a new CRL and write it to the directory
crls/YYYYMMDDHHMMSS.crl. (The capital letters are replaced with
the current time stamp.)
Checking software integrity
===========================
Integrity checks of the configuration and all required external programs
can be performed by running
$ clca check
This command will report individual check sums for the configuration
files and one compound checksum over all external UNIX utilities
used by the script.
A trusted md5sum program is required for this to work. In addition,
the ca script itself must be checked e. g. using the md5sum program
to ensure that it is not tampered with.
Creating CA backups
===================
At any time it is possible to create a snapshot of the current CA status,
including the certificate database, revocation state and all related
data (including private keys if no HSM is used).
To create such a backup simply run
$ clca backup [filename]
This will create a gzip compressed tar backup in the current directory
named YYYYMMDDHHMMSS-ca-backup.tar.gz if no filename is specified,
otherwise it will create the specified file.
This backup contains all information to recover the CA to the
state it was in when the backup command was run. To recover to this
point simply erase the $CA_HOME directory and extract the desired
backup archive. This will restore configuration file, ca executable
and certificate database.