Simple script to manage user certs to be used for client certification on the restricted websites.
It sets up self-signed CA and generates client certs per user.
- OpenSSL
- Web server (such as apache)
$ make
$ sudo make installVariables available on make:
CA_ROOT- where certs are stored at- default:
/etc/privcert
- default:
OPENSSL- openssl executable path- default: (auto detected)
MD5SUM- md5sum executable path- default: (auto detected)
BASE64- base64 executable path- default: (auto detected)
DN_BASE- prefix to X.509 DN- default:
/C=JP/ST=Tokyo/O=Your Company - requires C, ST and O
- must omit CN and emailAddress (to be set individually)
- default:
EXTRACT_PWD- password to extract user cert on install- default:
privcert
- default:
CERT_NAME- default name of user cert- default:
PrivCert - recommended to set the site name
- default:
UPDATE_HOOK- hook to reconfigure web server- default:
apachectl restart(with auto detected executable path)
- default:
KEYLEN- default key length in bits- default:
2048 - can be overridden by
-loption
- default:
EXPIRE- default certs expiration in days- default:
3650(≒10yr) - can be overridden by
-eoption
- default:
Variables available on make install:
PREFIX- install prefix, default is/usr/local.BINDIR- where executables are installed at, default is$(PREFIX)/sbin.
Also DESTDIR, useful when making packages, available.
First, init the environment and generate self-signed cert for local CA:
Note
On most systems, privcert executable installed in /usr/local/sbin is not
found under sudo due to overridden $PATH for security reasons.
So consider adding -i option to bring $PATH from root environment.
$ sudo -i privcert initThen, input password for server mode twice.
Note
If omit password or failed to set password, retry init to initialize
password.
Once initialized password, try sudo -i privcert passwd to update.
Set generated cert on the ssl configuration of your web server.
For Apache, append below to the VirtualHost directive in ssl.conf:
Note
ssl.conf would be found under /etc/httpd/conf.d on RHEL or compatible
system. It might have other location or filename, for example,
default-ssl.conf under /etc/apache2/sites-available on Ubuntu or Debian
variants.
SSLCACertificateFile /etc/privcert/ca/cert.pem
SSLVerifyClient optional
SSLVerifyDepth 10
SSLCARevocationCheck leaf
SSLCARevocationFile /etc/privcert/ca/crl.pem
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Y̲o̲u̲r̲ ̲C̲o̲m̲p̲a̲n̲y̲"Change condition value in SSLRequire to O value of DN specified to DN_BASE,
from the default of "Your Company".
Note
In addition, might already have specified SSLCertificateFile and
SSLCertificateKeyFile to enable SSL with an appropriate server cert.
Update apache configuration to make those valid:
$ sudo apachectl restartNow the site is not accessible until installing the client cert signed by this ca.
To use with web interface, register privcert as a service and modify some
configuration after setup the webapp.
See web/README.md for more details.
$ sudo -i privcert make u̲s̲e̲r̲ [c̲n̲] [e̲m̲a̲i̲l̲]To make the site accessible, import the cert file generated at
/etc/privcert/users/u̲s̲e̲r̲.pfx into the environment of the user.
Ordinary, just double-click or tap that file to import into the system cert
store, or, on some environments, might need to import from the cert management
menu of the browser.
The fixed password set on EXTRACT_PWD, default to be privcert, is necessary.
Web interface should be useful to distribute certs.
$ sudo -i privcert listIt shows only certs just under /etc/privcert/users, which should hold only
valid ones.
$ sudo -i privcert revoke u̲s̲e̲r̲Revoked cert is added to certificate revocation list (crl.pem), so the client
with the cert could no longer access.
And the cert is moved to /etc/privcert/trash.
- Server certificate (to use with VPN server)
- Update CA cert (necessary?)
Copyright (c)2024 Shun-ichi TAHARA <[email protected]>
Provided under MIT license, with the exception of third-party/getoptions directory, which is appropriated from ko1nksm/getoptions of CC0 license.