Certified

It's a scary Internet out there. All your company's internal apps and service-to-service communication should be encrypted. Certified will help you generate all the certificates you need to make that happen.

Installation

sudo apt-get install ruby-ronn
sudo make install

For some version of apt-get and some version of ruby-ronn. The point being you need to make sure you have ronn installed.

Or from packages.rcrowley.org on Debian or Ubuntu:

echo "deb http://packages.rcrowley.org $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/rcrowley.list
sudo wget -O /etc/apt/trusted.gpg.d/rcrowley.gpg http://packages.rcrowley.org/keyring.gpg
sudo apt-get update
sudo apt-get -y install certified

All you need is /bin/sh, GNU coreutils, and OpenSSL.

Usage

Generate your CA:

certified-ca C="US" ST="CA" L="San Francisco" O="Example" CN="Example CA"

You're going to want to trust the root CA certificate on all your laptops and servers. See Trust your CA in the wiki to learn how.

Generate a wildcard certificate:

certified CN="internal.example.com" +"*.internal.example.com"

Generate a certificate with several DNS names:

certified CN="ops.example.com" +"git.ops.example.com" +"jenkins.ops.example.com"

Generate a certificate for an IP address:

certified CN="localhost" +"127.0.0.1"

Install your certificates on all your servers.

The wiki further documents common usage patterns and how to use your CA with various browsers, operating systems, and programming languages.

TODO

• Example TLS clients that verify certificates with the CA (in various languages).
• Example TLS servers that use one of these certificates (in various languages).
• Help users with PFS.
• Help users with session resumption.
• Help users run OSCP responders.

TODONE

• Generate a CA.
• Generate certificates signed by the CA.
• Generate self-signed certificates.
• Revoke and regenerate certificates.
• Support DNS and IP subject alternative names.
• Prevent invalid DNS names, wildcards, and IPs.
• Commit changes to a Git repository.
• Generate basic CRLs.
• Installer.
• Uninstaller.
• man pages.
• Document how to install the CA on Linux.
• Document how to install the CA so browsers can use it.
• Document how to run a CA like Betable's.
• Decouple private keys and certificate signing requests from the signing itself.
• Document GPG-encrypted backups of your CA.
• YAML generator for use with Hiera/Puppet.
• Document how to run an autosigning sub-CA.
• Tag certificates with CRL distribution points and OCSP responder URLs.
• Command for listing every certificate to support automation.
• Document revoking and regenerating the entire CA.