Skip to content
/ otca Public

otca is a script supporting you in quickly setting up a simple public-key infrastructure.

License

Notifications You must be signed in to change notification settings

kbabioch/otca

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

85 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

otca

otca is a script supporting you in quickly setting up a simple public-key infrastructure with only two entities. This, for instance, can be used for point-to-point OpenVPN installations. Typically there is only a single server and client in such setups. While a static key setup might be easier to configure, a certificate based approach provides additional security because of the SSL/TLS handshake involved (ephemeral keys, forward secrecy, etc.).

Generating the appropriate certificates consists of multiple steps and quickly becomes cumbersome. Easy RSA, which is shipped along with OpenVPN is a set of scripts powerful enough to deal with many PKI aspects (e.g. issuing new certificates, revoking certificates, creating CRLs, etc.). However, this is massive overkill in most setups.

This is where otca comes in handy. It will:

  • Generate a self-signed CA

  • Generate and sign certificates for the server and client

  • Remove CAs private key

The name otca actually stands for One-Time CA, and is a reference to the way the CA is used, i.e. only once. The appropriate key is permanently removed and no further actions can be taken by this CA.

In case of a breach, or whenever certificates expire, one simply starts from scratch and simply replaces the old certificates. Given that only two entities are involved, this is not too much of a hassle.

PREREQUISITES

otca is a somehwat sophisticated Bash script built around openssl. It has been developed and tested with OpenSSL 1.0.2 in mind, but other versions should work fine, too.

USAGE

Execute the otca script. Its options are described in detail when invoked with the -h option. Basically you only need to provide a name for the client, as the default values should be sane enough in most cases.

Most aspects of the generated certificates are controlled with OpenSSL configuration files (config(5)). A default configuration file is shippd with this script and should be placed under /etc/otca/otca.cnf.

THEORY OF OPERATION

After some basic option and argument parsing, otca sets up a suitable temporary environment for the ca(1) command. It then generates and self-signs a certificate for the CA, handing over the appropriate options. Afterwards a certificate signing request for the server and client is generated using OpenSSL's req(1) command. These CSRs are then signed by the previously created CA using the ca(1) command again. After some conversions (see pkcs12(1)), the certificates and keys are moved into the specified output directory. Then the temporary scratch space is removed, including the CA's private key.

CONTRIBUTIONS

The source code is maintained using git and lives over at [github.com][repo]. Contributions of any kind are highly welcome. The fastest way is to use pull requests, and report bugs or submit feature requests.

In case you are looking for something to work on, you probably want to take a look at the issue tracker or the TODO file in the root directory.

DONATIONS

Flattr this git repo

PayPal donation

Bitcoin: 1D15BsSb3CNiH7bFgQtAY6KbBVSGKEs9Wb

LICENSE

GNU GPLv3

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.

About

otca is a script supporting you in quickly setting up a simple public-key infrastructure.

Resources

License

Stars

Watchers

Forks

Packages

No packages published