Nicolas314

All my geeky stuff ends up here. Mostly Unix-related

easy-rsa alternative

leave a comment »

Glad to announce that 2cca, the two-cent Certification Authority has now been ported to pure C with libcrypto (openssl) as single dependency. The goal was to make it available on openwrt as it seems pyopenssl is not available on this platform — without a lot of efforts.

As always, I swear this is the last time I ever link one of my sources against OpenSSL… until a replacement is made available.

Back to the point: you can now generate a Root CA, server, and client certificates to use with OpenVPN, with a couple of commands.

Download it from here:

https://github.com/nicolas314/2cca

Compile it with:

cc -o 2cca 2cca.c -lcrypto

Generate a root with e.g.:

2cca root O=Home CN=MyRootCA C=FR L=Paris email=postmaster@example.com

Your root is entirely defined by ca.crt and ca.key in the current directory. Its default duration is 10 years. Now that you have a root, you are going to use it to sign server and client certificates with e.g.:

2cca server CN=vpn.example.com C=FR L=Roubaix email=vpnmaster@example.com
2cca client CN=jdoe C=UK L=London email=jdoe@example.com duration=365

Your server identity is defined by vpn.example.com.crt and vpn.example.com.key. Your first client is jdoe.crt/jdoe.key.

You can verify certificates using openssl verify, e.g.:

openssl verify -CAfile ca.crt jdoe.crt

Certificate serial numbers are 128-bit long, which guarantees that they can be unique without having to memorize an incremental index. Your certificate database is the current directory.

Enjoy!

 

 

Advertisements

Written by nicolas314

Wednesday 30 December 2015 at 10:52 pm

Posted in openvpn, openwrt, pki, programming

Tagged with , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: