It seems a little odd to be looking at running an internal certificate authority (CA) in these days where free certificates are easily available from LetsEncrypt. However, I have a fully working LetsEncrypt setup using the http callback verification method that I don't really want to fiddle with, so for some small internal machines (pi's etc) I wanted to look again at being my own CA.
Last time I looked at this (11 years ago) I used openssl's CA.sh/CA.pl scripts. Basically these manipulate the openssl configuration files so that the standard openssl commands create what you need.
You can do this by hand too - and just run openssl commands. But - I wanted something that added a little more control.
One script that does this for you is caman - which seems to have a fairly simple interface.
The readme is pretty self-explanatory. Simply clone the repository and use it. I decided on one change. The script uses two directories - ca and store. These are in the .gitignore file (with a pair of files in ca excluded). I decided to remove the gitignore settings - and keep the generated files in the repo - but - to keep them secure with git-crypt. I also decided that as this was just for me and for a few machines that the extra complexity of an intermediate was not necessary - if I have to re-create the CA then there are perhaps 10 machines it needs installing on.
Apart from that - the readme's instructions worked fine - the script I more or less ended up with looks like this (so far I have added three hosts):
git clone -o upstream [email protected]:radiac/caman.git
cd caman
git remote add origin <location>
rm .gitignore
touch .gitattributes
// Add .gitattributes for git-crypt here - setting ca/** and store/** to be encrypted
cp ca/caconfig.cnf.default ca/caconfig.cnf && vi ca/caconfig.cnf
// Change the CA settings as described in the readme
cp ca/host.cnf.default ca/host.cnf && vi ca/host.cnf
// Change the per host settings as described in the readme
./caman init
for HOST in host1 host2 host3; do
./caman new $HOST.home.chrissearle.org
./caman sign $HOST.home.chrissearle.org
done
git add .
git ci -m "Done :)"
The final steps here: