A way to easy deploy a basic Public Key Infrastructure. https://www.barbed.fr
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Youenn DUVAL 07c1546f4a correction sha256 correctif 1 1 month ago
conf correction sha256 correctif 1 1 month ago
script readme update 10 months ago
.gitignore Changé les CN sur les configs 10 months ago
LICENSE creation 10 months ago
README.md correction sha256 et readme 1 month ago
setup.sh readme update 10 months ago

README.md

PKI

  1. Getting Started
  2. Installation
  3. Result of the installation
  4. Certificate Generation :
    1. TLS Server
    2. TLS Client
    3. Identity
    4. Encryption
    5. Time Stamping
  5. Revocation of certificates :
    1. Revocation of certificates from component
    2. Revocation of certificates from identity
  6. CRL and OCSP Generation
    1. Generate CRL
    2. OCSP
  7. Publish Bundles
  8. Authors

Getting Started :

Here you will find the files and commands used to create your pki.

Let’s take a look at the content of this git:

Two folders, conf and script. conf contains the configuration files of the different types of certificates and script of what to generate the different types of certificates.

At the root you will find setup.sh which will create the directories and files necessary to generate the PKI. But also to generate the first four certificates authority, root, network, identity and component.

Warning: The first thing setup.shdoes is delete the .git directory. You can’t update the project, setup.sh modify all your conf files.

Let’s talk about exactly what our chain will look like

 Ce script va creer plusieurs certificats
    
                  root-ca.crt
                       |
                       |
               network-ca.crt
             __________|__________
            |                     |
       identity-ca           component-ca
       _____|_____           _____|_____
      |           |         |           | 
    ident    encrypt     TLS-Serv   TLS-Cli
 

 root-ca   : Root CA Certificate
 network-ca  : Subordinate CA Certificate
 identity-ca : Subordinate CA for signature S/MIME
 component-ca  : Subordinate CA for signature TLS
 ident     : Certificate > digitalSignature
                               E-mail Protection (S/MIME) 
                               msSmartcardLogin,
                               clientAuth
 encrypt   : Certificate > keyEncipherment
                               E-mail Protection (S/MIME)
                               Microsoft Encrypted File System
 TLS-Serv    : Certificate > digitalSignature
                               keyEncipherment
                               serverAuth
                               clientAuth
 TLS-Cli   : Certificate > digitalSignature
                               clientAuth
 Timestamp     : Certificate > digitalSignature
                               OCSPSigning
 OCSP          : Certificate > digitalSignature
                               OCSPSigning

Allons-y!

2 - Installation :

Start by cloning this git then go to the folder pki (the root folder of the project). Now run ./setup.sh.

WARNING: If you use an Alpine Linux, you must install coreutils package (probleme with version of date command).

That’s what your pki folder should look like:

.
├── LICENSE
├── README.md
├── ca
│   ├── component-ca
│   │   ├── db
│   │   │   ├── component-ca.crl.srl
│   │   │   ├── component-ca.crl.srl.old
│   │   │   ├── component-ca.crt.srl
│   │   │   ├── component-ca.db
│   │   │   └── component-ca.db.attr
│   │   └── private
│   │       └── component-ca.key
│   ├── component-ca-chain.pem
│   ├── component-ca.crt
│   ├── component-ca.csr
│   ├── identity-ca
│   │   ├── db
│   │   │   ├── identity-ca.crl.srl
│   │   │   ├── identity-ca.crl.srl.old
│   │   │   ├── identity-ca.crt.srl
│   │   │   ├── identity-ca.db
│   │   │   └── identity-ca.db.attr
│   │   └── private
│   │       └── identity-ca.key
│   ├── identity-ca-chain.pem
│   ├── identity-ca.crt
│   ├── identity-ca.csr
│   ├── network-ca
│   │   ├── 01.pem
│   │   ├── 02.pem
│   │   ├── db
│   │   │   ├── network-ca.crl.srl
│   │   │   ├── network-ca.crl.srl.old
│   │   │   ├── network-ca.crt.srl
│   │   │   ├── network-ca.crt.srl.old
│   │   │   ├── network-ca.db
│   │   │   ├── network-ca.db.attr
│   │   │   ├── network-ca.db.attr.old
│   │   │   └── network-ca.db.old
│   │   └── private
│   │       └── network-ca.key
│   ├── network-ca-chain.pem
│   ├── network-ca.crt
│   ├── network-ca.csr
│   ├── root-ca
│   │   ├── 01.pem
│   │   ├── 02.pem
│   │   ├── db
│   │   │   ├── root-ca.crl.srl
│   │   │   ├── root-ca.crl.srl.old
│   │   │   ├── root-ca.crt.srl
│   │   │   ├── root-ca.crt.srl.old
│   │   │   ├── root-ca.db
│   │   │   ├── root-ca.db.attr
│   │   │   ├── root-ca.db.attr.old
│   │   │   └── root-ca.db.old
│   │   └── private
│   │       └── root-ca.key
│   ├── root-ca.crt
│   └── root-ca.csr
├── certs
├── conf
│   ├── client.conf
│   ├── component-ca.conf
│   ├── encryption.conf
│   ├── identity-ca.conf
│   ├── identity.conf
│   ├── network-ca.conf
│   ├── ocspsign.conf
│   ├── root-ca.conf
│   ├── server.conf
│   └── timestamp.conf
├── crl
│   ├── component-ca.crl
│   ├── identity-ca.crl
│   ├── network-ca.crl
│   └── root-ca.crl
├── script
│   ├── new_OCSP_cert.sh
│   ├── new_client_cert.sh
│   ├── new_component_CRL.sh
│   ├── new_encryption_cert.sh
│   ├── new_ident_cert.sh
│   ├── new_identity_CRL.sh
│   ├── new_server_cert.sh
│   ├── new_time-stamping_cert.sh
│   ├── publish_bundle.sh
│   ├── revoke_component_cert.sh
│   └── revoke_identity_cert.sh
└── setup.sh

Congratulations you are the proud owner of a brand new PKI!

3 - Result of the installation

So you have just generated your certificate chain with the keys and CSR that go with it. But also the concatenations of certificates for the files chains. The first CRLs are also created, but it will be necessary not to forget to regenerate it if you need it.

4 - Certificate Generation :

4.1 - TLS Server

We will use the dedicated script to know script/new_server_cert.sh. It must be followed by one or more arguments. Namely valid TLDs. Sample order:

script/new_server_cert.sh www.watchmen.fr watchmen.fr

WARNING: all the scripts are made to be launched from the root directory of the pki

This will generate a key, a CSR and a certificate named tls-server-www.watchmen.fr.crt, all three in the folder certs/. This certificate will be valid for all domains pass in parameter.

4.2 - TLS Client

Again, there is a script dedicated to the client certificate creation, script/new_client_cert.sh. It must be followed by two arguments, the first name followed by the user’s name. Sample order:

script/new_client_cert.sh Walter KOVACS

This will generate a key, a CSR, a certificate and a pkcs12 bundle named tls-client-Walter-KOVACS.p12

4.3 - Identity

Guess what? There is a script dedicated to the identity certificate creation, script/new_ident_cert.sh. It must be followed by three arguments, the first followed by the name of the user and the email address. Sample order:

script/new_ident_cert.sh Walter KOVACS 

This will generate a key, a CSR, a certificate and a pkcs12 bundle named mime-ident-Walter-KOVACS.p12

4.4 - Encryption

Well it’s not funny anymore but … There is a script dedicated to the encrypt certificate creation, script/new_encryption_cert.sh. It must be followed by three arguments, the first followed by the name of the user and the email address. Sample order:

script/new_encryption_cert.sh Walter KOVACS

This will generate a key, a CSR, a certificate and a pkcs12 bundle named mime-encrypt-Walter-KOVACS.p12

4.5 - Time Stamping

There is a script dedicated to the creation, script/new_time-stamping_cert.sh. No parameters for this one. You can change according to your needs.

script/new_time-stamping_cert.sh

5 - Revocation of certificates :

5.1 - Revocation of certificates from component

The script is script/revoke_component_cert.sh It contains the command to use but is not dynamic, you will have to modify it yourself according to your needs

5.2 - Revocation of certificates from identity

The script is script/revoke_identity_cert.sh It contains the command to use but is not dynamic, you will have to modify it yourself according to your needs.

6 - CRL and OCSP

The three generation scripts described in this chapter have no arguments and are just used to update what has already been generated during setup.

6.1 - Generate CRL

regenerate_CRL.sh

6.2 - OCSP

new_OCSP_cert.sh

7 - Publish Bundles

In the script script/publish_bundle.sh we find three commands that transform certificates, certification chains and CRLs into DER format.

Authors

  • Youenn DUVAL
  • Antoine Mazéas

Inspired by the work of Stefan H. Holek

Source: https://pki-tutorial.readthedocs.io/en/latest/index.html