2cca
v1.0.0
Published
2-cent Certification Authority
Downloads
7
Readme
2cca
2-cent Certification Authority
This program is meant to replace the easy-rsa scripts found in default installations for OpenVPN.
Two independent versions are provided here:
- Python version (2cca.py) based on pyopenssl
- A single-file C version based on OpenSSL
The Python version is placed in the Public Domain. It was used as a proof-of-concept to demonstrate everything could be done directly with OpenSSL without involving the command-line tools. It is completely usable to generate root, server, and client certificates.
The C version is MIT-licensed. See LICENSE.
Compilation
Use 'make'. You can also compile with:
cc -o 2cca 2cca.c -lcrypto
Tested on:
- ArchLinux on Raspberry Pi -- openssl 1.0.2.e-1
- Debian on x64 -- openssl 1.0.2.e-1
On OSX you cannot use the system openssl libraries but you can substitue them by libressl, available from brew. I got it to compile with:
export LIBRE=/usr/local/opt/libressl
cc -I$(LIBRE)/include -L$(LIBRE)/lib -o 2cca 2cca.c -lcrypto
Brew says I am using version 2.3.1 of libressl.
What it does
2cca can generate certificates and keys for various roles. Supported roles are:
- Root CA: a self-signed Certification Authority
- Sub CA: a Certification Authority, signed by another CA
- OpenVPN server
- OpenVPN client
- Web server
Specify which kind of certificate you want to create and indicate which fields and properties are needed. A certificate file and key will be created in the local directory in PEM format.
Usage
Creating certificates follows the same syntax for all types of certificates:
2cca TYPE [properties]
TYPE Description
---- -----------
root Create a (self-signed) root CA certificate
sub Create a Subordinate CA certificate
server Create an OpenVPN server certificate
client Create an OpenVPN client certificate
www Create a Web server certificate
Certificate fields and properties are specified on the command line by specifying a list of key=value blocks. If the value contains blanks, surround the whole block with double or simple quotes. Supported keys and their meaning are:
Key Meaning Example Default
--- ------- ------- -------
O Organisation "O=ACME Inc" O=Home or root
C Country 2-letter code C=UK none
CN Common Name CN=MyServer same as TYPE
L Locality or City L=Munich none
ST State ST=Bavaria none
email Email [email protected] none
ca Signing CA ca=Sub ca=root
days Duration days=15 days=365
dns Host name dns=www.example.com none
The O field (Organization) defaults to O=Home for root and is always
inherited from the issuer.
The OU field (Organizational Unit) is automatically set by certificate
type:
Type OU
---- --
root OU=Root
sub OU=Sub
server OU=Server
client OU=Client
www OU=Server
File names
Certificate and key are saved in the current directory as CN.crt and CN.key, where CN is the requested Common Name. For client identities, a password-less P12 is also generated.
The default signing CA is named CN=root. If you change the root name (CN=xx) or want to use a specific CA for signature, use ca=NAME, where NAME is the CN for the CA you want to use. Example:
# Generate a root called MyROOT:
2cca root CN=MyROOT C=UK
-> Generates MyROOT.crt and MyROOT.key
# Generate a Sub CA called MySUB and sign it with MyROOT:
2cca sub ca=MyROOT CN=MySUB C=UK
-> Generates MySUB.crt and MySUB.key, signed by MyROOT
# Generate a client certificate for 'joe' and sign it with MySUB:
2cca client ca=MySUB CN=joe C=UK
-> Generates joe.crt, joe.key, joe.p12, signed by MySUB
# If you want to verify the chain with openssl:
cat MyROOT.crt MySUB.crt > bundle
openssl verify -CAfile bundle joe.crt
-> joe.crt: OK
Certificate Duration
Change certificate duration using days=xx where xx is in days from today. Default certificate duration is 3650 days. Example:
# Generate a client certificate for 15 days:
2cca client days=15 ca=MyROOT
Crypto Parameters
You can generate RSA keys by specifying a key size with rsa=xx Example:
Generate a root certificate with a 4096 RSA key:
2cca root rsa=4096
You can also generate elliptic-curve keys for clients and servers. Use ec=curve, where curve is one of the named curves supported by openssl. You can get a list of elliptic curves supported on your system by running:
openssl ecparam -list_curves
Examples:
# Generate a client cert with an ECC key with curve prime256v1
2cca client ec=prime256v1
The default hash function is sha256. There is currently no way to change this from the command-line.
Certificate Revocation Lists
Primitive CRL management is also offered. The two associated commands are:
2cca revoke NAME ca=xx
2cca crl ca=xx
You revoke a certificate by name, i.e. by CN, which also happens to be the base file name. To revoke joe's certificate issued by MySUB:
# Revoke joe issued by MySUB
2cca revoke joe ca=MySUB
You can review the CRL for a CA like this:
# See CRL for ca=MySUB
2cca crl ca=MySUB
-- Revoked certificates found in CRL
serial: 2CCA95D9A9F95BEE6C44564E0A514B45
date: Jan 19 22:04:51 2016 GMT
# Display the CRL using openssl
openssl crl -in MySUB.crl -text
Diffie-Hellmann Parameters
You can also generate Diffie-Hellmann parameters. Useful for OpenVPN setups.
# Generate DH-2048 parameters
2cca dh
Generating DH parameters (2048 bits) -- this can take long
done
It takes ages to generate these, and the command does not display any progress. You probably want to do it with OpenSSL. I just coded it for convenience when the openssl command is not present.
Complete Example
Starting from scratch, you want to first create a root (self-signed) CA. It will be named 'MyRoot', for a duration of 1000 days, have a 1024-bit RSA key, and be based in the UK.
2cca root CN=MyRoot days=1000 rsa=1024 C=UK
Check that you now have MyRoot.crt and MyRoot.key in the current directory.
You want two Sub-CAs then: one to handle OpenVPN servers and clients, and another one to handle WWW server certificates. Both are children of the root you just created.
# Generate the OpenVPN CA named 'VPNCA' for 900 days, 1024-bit RSA:
2cca sub CN=VPNCA days=900 rsa=1024 ca=MyRoot C=UK
# Generate the www server CA named 'WWWCA' for 500 days, 1024-bit RSA:
2cca sub CN=WWWCA days=500 rsa=1024 ca=MyRoot C=UK
You now have VPNCA.[crt|key] and WWWCA.[crt|key] in the current directory.
Let us now issue client and server certificates for OpenVPN with the appropriate CA. We will use 512-bit RSA keys and set a validity period of one year for the server, and two weeks for the client.
# Generate a cert for server named 'vpn-server' for 365 days, 512-bit RSA:
2cca server ca=VPNCA days=365 CN=vpn-server rsa=512 C=UK
# Generate a cert for a client named 'joe' for 15 days, 512-bit RSA:
2cca client ca=VPNCA days=15 CN=joe rsa=512 C=UK
You can now install vpn-server.[crt|key] in the appropriate places and send the client credentials to Joe: either send joe.[crt|key] or joe.p12
Let us issue a web server certificate for a server named 'www.example.com' for a duration of one year, with a 2048-bit RSA key:
# Generate a web server certificate
2cca www ca=WWWCA days=365 rsa=2048 CN=www.example.com dns=www.example.com
Check that you have files called www.example.com.[crt|key] in the current directory.
You can also issue certificates that arte valid for multiple domains or joker certificates by issuing several dns= properties on the command-line. Example:
# Generate a certificate for *.dom1.abc and *.dom2.abc
2cca www ca=WWWCA "dns=*.dom1.abc" "dns=*.dom2.abc"
Warnings
There is no database of issued certificates to maintain because they use 128-bit serial numbers, thus are already unique without having to remember an increasing index.
There is absolutely no key protection whatsoever. You are in charge of protecting the .key files as you need. For personal VPNs this is not really an issue, but for something in need of security you probably want to import keys into smart cards. This is meant to replace easy-rsa, not a full-fledged PKI.
-- nicolas314 - 2016-January