Certificate tool for Sysadmins
Easy-to-use tool for certificate management. To make data flow simple, it does not support metadata rewrite during signing, all data should be correct in certificate request.
- No interactive data entry.
- Simple command-line UI.
- Good defaults, sets up common extensions automatically.
- PGP- and password-protected private keys.
- OCSP and CRL info settings.
- Supports both EC and RSA keys.
Generate new key:
sysca new-key [--password-file TXT_FILE] [--out DST] sysca new-key ec[:<curve>] [--password-file TXT_FILE] [--out DST] sysca new-key rsa[:<bits>] [--password-file TXT_FILE] [--out DST]
Create certificate signing request:
sysca request --key KEY_FILE [--password-file TXT_FILE] [--subject DN] [--san ALTNAMES] [--CA] [--path-length DEPTH] [--usage FLAGS] [--ocsp-url URLS] [--crl-url URLS] [--issuer-cert-url URLS] [--out CSR_FN]
Sign certificate signing request:
sysca sign --ca-key KEY_FILE --ca-info CRT_FILE --request CSR_FILE --days NUM [--out CRT_FN] [--password-file TXT_FILE]
Display contents of CSR or CRT file:
sysca show FILE
Generate new key.
Takes key type as optional argument. Value can be either ec:<curve> or rsa:<bits>. Shortcuts: ec is ec:secp256r1, rsa is rsa:2048. Default: ec.
Available curves for EC: secp256r1, secp384r1, secp521r1, secp224r1, secp192r1.
|Password will be loaded from file. Can be PGP-encrypted. Resulting private key will be encrypted with this password.|
|--out DST_FN||Target file to write key to. It’s preferable to write to stdout and encrypt with GPG.|
Create certificate request.
|--out CSR_FILE||Target file to write CSR to.|
|--key KEY_FILE||Private key file to create request for. Can be PGP-encrypted. Can be password-protected.|
|Password file for private key. Can be PGP-encrypted.|
Subject’s DistinguishedName which is X509 Name structure, which is collection of key-value pairs.
Each pair is separated with “/”, key and value are separated with “=”. Surrounding whitespace around both “/” and “=” will be stripped. “" can be used for escaping.
Most important field: CN=commonName.
Common fields: O=organizationName, OU=organizationalUnit, C=countryName, L=locality, ST=stateOrProvinceName.
Less common fields: SN=surname, GN=givenName, T=title, P=pseudonym, SA=streetAddress.
Example: --subject "/CN=www.example.com/ O=My Company / OU = DevOps"
Certificate field: Subject.
The certificate will have CA rights - that means it can sign other certificates.
Applies only for CA certs - limits how many levels on sub-CAs can exist under generated certificate. Default: 0.
Specify alternative names for subject as list of comma-separated strings, that have prefix that describes data type.
Example: --san "dns: *.example.com, dns: www.foo.org, ip: 127.0.0.1 "
Options useful only when apps support them:
List of URLS where certificate revocation lists can be downloaded.
List of URL for OCSP endpoint where validity can be checked.
List of URLS where parent certificate can be downloaded, in case the parent CA is not root CA. Usually sub-CA certificates should be provided during key-agreement (TLS). This setting is for situations where this cannot happen or for fallback for badly-configured TLS servers.
Comma-separated keywords that set KeyUsage and ExtendedKeyUsage flags.
ExtendedKeyUsage flags, none set by default.
KeyUsage flags, set by default. Not much use for non-default settings.
|Disallow CA to sign subjects that match patterns. See --permit-subtrees for details.|
Allow CA to sign subjects that match patterns.
Specify patters for subject as list of comma-separated strings, that have prefix that describes data type.
Create signed certificate based on data in request. Any unsupported extensions in request will cause error.
It will add SubjectKeyIdentifier and AuthorityKeyIdentifier extensions to final certificate that help to uniquely identify both subject and issuers public keys. Also IssuerAlternativeName is added as copy of CA cert’s SubjectAlternativeName extension if present.
|--out CRT_FILE||Target file to write certificate to.|
|--days NUM||Lifetime for certificate in days.|
|Certificate request file generated by request command.|
|CA private key file. Can be PGP-encrypted. Can be password-protected.|
|CRT file generated by request command. Issuer CA info will be loaded from it.|
|Password file for CA private key. Can be PGP-encrypted.|
Display contents of CSR or CRT file.
Private Key Protection
Private keys can be stored unencryped, encrypted with PGP, encrypted with password or both. Unencrypted keys are good only for testing. Good practice is to encrypt both CA and end-entity keys with PGP and use passwords only for keys that can be deployed to servers with password-protection.
For each key, different set of PGP keys can be used that can decrypt it:
$ ./sysca.py new-key | gpg -aes -r "email@example.com" -r "firstname.lastname@example.org" > CA.key.gpg $ ./sysca.py new-key | gpg -aes -r "email@example.com" -r "firstname.lastname@example.org" > server.key.gpg
Self-signed CA example:
$ ./sysca.py new-key | gpg -aes -r "email@example.com" > TestCA.key.gpg $ ./sysca.py request --key TestCA.key.gpg --subject "/CN=TestCA/O=Gov" --CA > TestCA.csr $ ./sysca.py sign --request TestCA.csr --ca-key TestCA.key.gpg --ca-info TestCA.csr > TestCA.crt
Sign server key:
$ ./sysca.py new-key | gpg -aes -r "firstname.lastname@example.org" > Server.key.gpg $ ./sysca.py request --key Server.key.gpg --subject "/CN=web.server.com/O=Gov" > Server.csr $ ./sysca.py sign --days 365 --request Server.csr --ca-key TestCA.key.gpg --ca-info TestCA.crt > Server.crt
Although SysCA allows to set various extension parameters, that does not mean any software that uses the certificates actually the looks or acts on the extensions. So it’s reasonable to set up only extensions that are actually used.
- Shortcut for selfsigned cert? (For top-CA)
- Allow field overrides during sign?