| conf | ||
| script | ||
| .gitignore | ||
| LICENSE | ||
| README.md | ||
| setup.sh | ||
#PKI
- Getting Started
- Installation
- Result of the installation
- Certificate Generation : 5. TLS Server 6. TLS Client 7. Identity 8. Encryption
- Time Stamping
- Revocation of certificates :
- Revocation of certificates from component
- Revocation of certificates from identity
- CRL and OCSP Generation
- Generate CRL
- OCSP
- Publish Bundles
- Authors
Getting Started :
Here you will find the files and commands used to create your pki.
Let's take a look at the content of this git:
Two folders, conf and script.
conf contains the configuration files of the different types of certificates and script of what to generate the different types of certificates.
At the root you will find setup.sh which will create the directories and files necessary to generate the PKI. But also to generate the first four certificates authority, root, network, identity and component.
Warning: The first thing setup.shdoes is delete the .git directory. You can't update the project, setup.sh modify all your conf files.
Let's talk about exactly what our chain will look like
Ce script va creer plusieurs certificats
root-ca.crt
|
|
network-ca.crt
__________|__________
| |
identity-ca component-ca
_____|_____ _____|_____
| | | |
ident encrypt TLS-Serv TLS-Cli
root-ca : Root CA Certificate
network-ca : Subordinate CA Certificate
identity-ca : Subordinate CA for signature S/MIME
component-ca : Subordinate CA for signature TLS
ident : Certificate > digitalSignature
E-mail Protection (S/MIME)
msSmartcardLogin,
clientAuth
encrypt : Certificate > keyEncipherment
E-mail Protection (S/MIME)
Microsoft Encrypted File System
TLS-Serv : Certificate > digitalSignature
keyEncipherment
serverAuth
clientAuth
TLS-Cli : Certificate > digitalSignature
clientAuth
Timestamp : Certificate > digitalSignature
OCSPSigning
OCSP : Certificate > digitalSignature
OCSPSigning
Allons-y!
2 - Installation :
Start by cloning this git then go to the folder pki (the root folder of the project).
Now run ./setup.sh.
WARNING: If you use an Alpine Linux, you must install coreutils package (probleme with version of date command).
That's what your pki folder should look like:
.
├── LICENSE
├── README.md
├── ca
│ ├── component-ca
│ │ ├── db
│ │ │ ├── component-ca.crl.srl
│ │ │ ├── component-ca.crl.srl.old
│ │ │ ├── component-ca.crt.srl
│ │ │ ├── component-ca.db
│ │ │ └── component-ca.db.attr
│ │ └── private
│ │ └── component-ca.key
│ ├── component-ca-chain.pem
│ ├── component-ca.crt
│ ├── component-ca.csr
│ ├── identity-ca
│ │ ├── db
│ │ │ ├── identity-ca.crl.srl
│ │ │ ├── identity-ca.crl.srl.old
│ │ │ ├── identity-ca.crt.srl
│ │ │ ├── identity-ca.db
│ │ │ └── identity-ca.db.attr
│ │ └── private
│ │ └── identity-ca.key
│ ├── identity-ca-chain.pem
│ ├── identity-ca.crt
│ ├── identity-ca.csr
│ ├── network-ca
│ │ ├── 01.pem
│ │ ├── 02.pem
│ │ ├── db
│ │ │ ├── network-ca.crl.srl
│ │ │ ├── network-ca.crl.srl.old
│ │ │ ├── network-ca.crt.srl
│ │ │ ├── network-ca.crt.srl.old
│ │ │ ├── network-ca.db
│ │ │ ├── network-ca.db.attr
│ │ │ ├── network-ca.db.attr.old
│ │ │ └── network-ca.db.old
│ │ └── private
│ │ └── network-ca.key
│ ├── network-ca-chain.pem
│ ├── network-ca.crt
│ ├── network-ca.csr
│ ├── root-ca
│ │ ├── 01.pem
│ │ ├── 02.pem
│ │ ├── db
│ │ │ ├── root-ca.crl.srl
│ │ │ ├── root-ca.crl.srl.old
│ │ │ ├── root-ca.crt.srl
│ │ │ ├── root-ca.crt.srl.old
│ │ │ ├── root-ca.db
│ │ │ ├── root-ca.db.attr
│ │ │ ├── root-ca.db.attr.old
│ │ │ └── root-ca.db.old
│ │ └── private
│ │ └── root-ca.key
│ ├── root-ca.crt
│ └── root-ca.csr
├── certs
├── conf
│ ├── client.conf
│ ├── component-ca.conf
│ ├── encryption.conf
│ ├── identity-ca.conf
│ ├── identity.conf
│ ├── network-ca.conf
│ ├── ocspsign.conf
│ ├── root-ca.conf
│ ├── server.conf
│ └── timestamp.conf
├── crl
│ ├── component-ca.crl
│ ├── identity-ca.crl
│ ├── network-ca.crl
│ └── root-ca.crl
├── script
│ ├── new_OCSP_cert.sh
│ ├── new_client_cert.sh
│ ├── new_component_CRL.sh
│ ├── new_encryption_cert.sh
│ ├── new_ident_cert.sh
│ ├── new_identity_CRL.sh
│ ├── new_server_cert.sh
│ ├── new_time-stamping_cert.sh
│ ├── publish_bundle.sh
│ ├── revoke_component_cert.sh
│ └── revoke_identity_cert.sh
└── setup.sh
Congratulations you are the proud owner of a brand new PKI!
3 - Result of the installation
So you have just generated your certificate chain with the keys and CSR that go with it. But also the concatenations of certificates for the files chains. The first CRLs are also created, but it will be necessary not to forget to regenerate it if you need it.
4 - Certificate Generation :
4.1 - TLS Server
We will use the dedicated script to know script/new_server_cert.sh. It must be followed by one or more arguments. Namely valid TLDs. Sample order:
script/new_server_cert.sh www.watchmen.fr watchmen.fr
WARNING: all the scripts are made to be launched from the root directory of the pki
This will generate a key, a CSR and a certificate named tls-server-www.watchmen.fr.crt, all three in the folder certs/.
This certificate will be valid for all domains pass in parameter.
4.2 - TLS Client
Again, there is a script dedicated to the client certificate creation, script/new_client_cert.sh. It must be followed by two arguments, the first name followed by the user's name. Sample order:
script/new_client_cert.sh Walter KOVACS
This will generate a key, a CSR, a certificate and a pkcs12 bundle named tls-client-Walter-KOVACS.p12
4.3 - Identity
Guess what? There is a script dedicated to the identity certificate creation, script/new_ident_cert.sh. It must be followed by three arguments, the first followed by the name of the user and the email address. Sample order:
script/new_ident_cert.sh Walter KOVACS
This will generate a key, a CSR, a certificate and a pkcs12 bundle named mime-ident-Walter-KOVACS.p12
4.4 - Encryption
Well it's not funny anymore but ... There is a script dedicated to the encrypt certificate creation, script/new_encryption_cert.sh. It must be followed by three arguments, the first followed by the name of the user and the email address. Sample order:
script/new_encryption_cert.sh Walter KOVACS
This will generate a key, a CSR, a certificate and a pkcs12 bundle named mime-encrypt-Walter-KOVACS.p12
4.5 - Time Stamping
There is a script dedicated to the creation, script/new_time-stamping_cert.sh. No parameters for this one. You can change according to your needs.
script/new_time-stamping_cert.sh
5 - Revocation of certificates :
5.1 - Revocation of certificates from component
The script is script/revoke_component_cert.sh
It contains the command to use but is not dynamic, you will have to modify it yourself according to your needs
5.2 - Revocation of certificates from identity
The script is script/revoke_identity_cert.sh
It contains the command to use but is not dynamic, you will have to modify it yourself according to your needs.
6 - CRL and OCSP
The three generation scripts described in this chapter have no arguments and are just used to update what has already been generated during setup.
6.1 - Generate CRL
regenerate_CRL.sh
6.2 - OCSP
new_OCSP_cert.sh
7 - Publish Bundles
In the script script/publish_bundle.sh we find three commands that transform certificates, certification chains and CRLs into DER format.
Authors
- Youenn DUVAL
- Antoine Mazéas
Inspired by the work of Stefan H. Holek
Source: https://pki-tutorial.readthedocs.io/en/latest/index.html