damnx509
A simple CLI for managing a small X.509 Certificate Authority!
- Screw the
openssl
binary, shell scripts, searching your command history foropenssl
invocations, this is just much cleaner. - damnx509 offers a nice interactive
issue
subcommand that lets you set:- the extended usage thing (e.g. some WPA2 EAP-TLS clients absolutely require it to be set to
clientAuth
, now you don't have to worry about that) - Subject Alternative Names (the
openssl
binary only sets that from the openssl config file, what the hell) - the signature algorithm (RSA 2048/4096 and EC)
- the digest algorithm (SHA256/384/512, note that WPA3-Enterprise 192-bit mode requires 384)
- the URI of the CRL
- the extended usage thing (e.g. some WPA2 EAP-TLS clients absolutely require it to be set to
- It also automatically offers default values from the CA (e.g. you want to default to the same country, city and CRL URI, right?)
- And automatically builds a PKCS12 (
.p12
) key+cert bundle (useful for browser client certs and WPA2 EAP-TLS). - There's also a
revoke
subcommand to update the CRL (don't forget to upload it to the URI mentioned in the certificates). - DON'T FORGET TO REMOVE UNENCRYPTED KEYS IF YOU WRITE THEM
You can use damnx509 to manage a personal CA to sign things like:
- Your various HTTPS, MQTT, etc. servers at home
- Your home WPA2 EAP-TLS network
- Your personal OpenVPN network
- Client certificates for accessing admin/monitoring/etc. interfaces on your servers
- ~~An IndieCert client certificate for signing in with your domain~~
Installation
$ gem install damnx509
Run the command to see how to use it.
License
This is free and unencumbered software released into the public domain.
For more information, please refer to the UNLICENSE
file or unlicense.org.