2cca 中文文档教程
2cca
2 美分证书颁发机构
该程序旨在替换默认情况下的 easy-rsa 脚本 OpenVPN 的安装。
这里提供了两个独立
- Python version (2cca.py) based on pyopenssl
- A single-file C version based on OpenSSL
的版本:Python 版本放在公共领域。 它被用作 证明一切都可以直接完成的概念验证 不涉及命令行工具的 OpenSSL。 完全可以使用 生成根证书、服务器证书和客户端证书。
C 版本是 MIT 许可的。 请参阅许可证。
Compilation
使用“制作”。 您还可以编译:
cc -o 2cca 2cca.c -lcrypto
测试:
- ArchLinux on Raspberry Pi -- openssl 1.0.2.e-1
- Debian on x64 -- openssl 1.0.2.e-1
在 OSX 上您不能使用系统 openssl 库,但您可以替换 它们由 libressl 提供,可从 brew 获得。 我得到它来编译:
export LIBRE=/usr/local/opt/libressl
cc -I$(LIBRE)/include -L$(LIBRE)/lib -o 2cca 2cca.c -lcrypto
Brew 说我正在使用 2.3.1 版的 libressl。
What it does
2cca 可以为各种角色生成证书和密钥。 支持的角色是:
- Root CA: a self-signed Certification Authority
- Sub CA: a Certification Authority, signed by another CA
- OpenVPN server
- OpenVPN client
- Web server
指定要创建的证书类型并指明 需要字段和属性。 证书文件和密钥将是 以 PEM 格式在本地目录中创建。
Usage
创建证书对所有类型的证书都遵循相同的语法 证书:
2cca TYPE [properties]
TYPE Description
---- -----------
root Create a (self-signed) root CA certificate
sub Create a Subordinate CA certificate
server Create an OpenVPN server certificate
client Create an OpenVPN client certificate
www Create a Web server certificate
证书字段和属性在命令行上指定 指定 key=value 块的列表。 如果该值包含空格, 用双引号或单引号将整个块括起来。 支持的键和 它们的含义是:
Key Meaning Example Default
--- ------- ------- -------
O Organisation "O=ACME Inc" O=Home or root
C Country 2-letter code C=UK none
CN Common Name CN=MyServer same as TYPE
L Locality or City L=Munich none
ST State ST=Bavaria none
email Email email=root@example.com none
ca Signing CA ca=Sub ca=root
days Duration days=15 days=365
dns Host name dns=www.example.com none
The O field (Organization) defaults to O=Home for root and is always
inherited from the issuer.
The OU field (Organizational Unit) is automatically set by certificate
type:
Type OU
---- --
root OU=Root
sub OU=Sub
server OU=Server
client OU=Client
www OU=Server
File names
证书和密钥在当前目录中保存为 CN.crt 和 CN.key,其中 CN 是请求的通用名称。 对于客户身份,一个 还生成无密码 P12。
默认签名 CA 名为 CN=root。 如果更改根名称 (CN=xx) 或者想使用特定的 CA 进行签名,使用 ca=NAME,其中 NAME 是您要使用的 CA 的 CN。 示例:
# Generate a root called MyROOT:
2cca root CN=MyROOT C=UK
-> Generates MyROOT.crt and MyROOT.key
# Generate a Sub CA called MySUB and sign it with MyROOT:
2cca sub ca=MyROOT CN=MySUB C=UK
-> Generates MySUB.crt and MySUB.key, signed by MyROOT
# Generate a client certificate for 'joe' and sign it with MySUB:
2cca client ca=MySUB CN=joe C=UK
-> Generates joe.crt, joe.key, joe.p12, signed by MySUB
# If you want to verify the chain with openssl:
cat MyROOT.crt MySUB.crt > bundle
openssl verify -CAfile bundle joe.crt
-> joe.crt: OK
Certificate Duration
使用 days=xx 更改证书持续时间,其中 xx 以天为单位 今天。 默认证书有效期为 3650 天。 示例:
# Generate a client certificate for 15 days:
2cca client days=15 ca=MyROOT
Crypto Parameters
您可以通过使用 rsa=xx 指定密钥大小来生成 RSA 密钥 示例:
Generate a root certificate with a 4096 RSA key:
2cca root rsa=4096
您还可以为客户端和服务器生成椭圆曲线密钥。 使用 ec=curve,其中 curve 是 openssl 支持的命名曲线之一。 你 可以通过运行以下命令获取系统支持的椭圆曲线列表:
openssl ecparam -list_curves
示例:
# Generate a client cert with an ECC key with curve prime256v1
2cca client ec=prime256v1
默认哈希函数是 sha256。 目前没有办法改变 这来自命令行。
Certificate Revocation Lists
还提供了原始 CRL 管理。 两个关联的命令是:
2cca revoke NAME ca=xx
2cca crl ca=xx
您通过名称撤销证书,即通过 CN,这也恰好是 基本文件名。 要撤销 MySUB 颁发的 joe 证书:
# Revoke joe issued by MySUB
2cca revoke joe ca=MySUB
您可以像这样查看 CA 的 CRL:
# See CRL for ca=MySUB
2cca crl ca=MySUB
-- Revoked certificates found in CRL
serial: 2CCA95D9A9F95BEE6C44564E0A514B45
date: Jan 19 22:04:51 2016 GMT
# Display the CRL using openssl
openssl crl -in MySUB.crl -text
Diffie-Hellmann Parameters
您还可以生成 Diffie-Hellmann 参数。 对 OpenVPN 有用 设置。
# Generate DH-2048 parameters
2cca dh
Generating DH parameters (2048 bits) -- this can take long
done
生成这些需要很长时间,并且该命令不显示任何 进步。 您可能想使用 OpenSSL 来完成它。 我只是为它编码 当 openssl 命令不存在时很方便。
Complete Example
从头开始,您想首先创建一个根(自签名)CA。 它将被命名为“MyRoot”,持续时间为 1000 天,具有 1024 位 RSA 钥匙,并设在英国。
2cca root CN=MyRoot days=1000 rsa=1024 C=UK
检查您现在在当前目录中是否有 MyRoot.crt 和 MyRoot.key。
那么您需要两个子 CA:一个处理 OpenVPN 服务器和客户端,以及 另一个处理 WWW 服务器证书。 两人都是 您刚刚创建的根目录。
# Generate the OpenVPN CA named 'VPNCA' for 900 days, 1024-bit RSA:
2cca sub CN=VPNCA days=900 rsa=1024 ca=MyRoot C=UK
# Generate the www server CA named 'WWWCA' for 500 days, 1024-bit RSA:
2cca sub CN=WWWCA days=500 rsa=1024 ca=MyRoot C=UK
您现在在当前目录中有 VPNCA.[crt|key] 和 WWWCA.[crt|key]。
现在让我们为 OpenVPN 颁发客户端和服务器证书 适当的 CA。 我们将使用 512 位 RSA 密钥并设置有效期为 服务器一年,客户端两周。
# Generate a cert for server named 'vpn-server' for 365 days, 512-bit RSA:
2cca server ca=VPNCA days=365 CN=vpn-server rsa=512 C=UK
# Generate a cert for a client named 'joe' for 15 days, 512-bit RSA:
2cca client ca=VPNCA days=15 CN=joe rsa=512 C=UK
您现在可以在适当的地方安装 vpn-server.[crt|key] 并发送 Joe 的客户端凭据:发送 joe.[crt|key] 或 joe.p12
让我们为名为“www.example.com”的服务器颁发 Web 服务器证书 为期一年,使用 2048 位 RSA 密钥:
# Generate a web server certificate
2cca www ca=WWWCA days=365 rsa=2048 CN=www.example.com dns=www.example.com
检查您是否有名为 www.example.com.[crt|key] 在当前目录中。
您还可以颁发对多个域有效的证书或 通过在命令行上发出几个 dns= 属性来获取小丑证书。 示例:
# Generate a certificate for *.dom1.abc and *.dom2.abc
2cca www ca=WWWCA "dns=*.dom1.abc" "dns=*.dom2.abc"
Warnings
没有要维护的已颁发证书的数据库,因为它们使用 128位序列号,无需记忆,已经是唯一的 一个递增的指数。
绝对没有任何密钥保护。 你负责 根据需要保护 .key 文件。 对于个人 VPN,这不是真的 一个问题,但是对于需要安全性的东西你可能想要导入 键插入智能卡。 这是为了取代 easy-rsa,而不是 成熟的 PKI。
-- nicolas314 - 2016 年 1 月
2cca
2-cent Certification Authority
This program is meant to replace the easy-rsa scripts found in default installations for OpenVPN.
Two independent versions are provided here:
- Python version (2cca.py) based on pyopenssl
- A single-file C version based on OpenSSL
The Python version is placed in the Public Domain. It was used as a proof-of-concept to demonstrate everything could be done directly with OpenSSL without involving the command-line tools. It is completely usable to generate root, server, and client certificates.
The C version is MIT-licensed. See LICENSE.
Compilation
Use 'make'. You can also compile with:
cc -o 2cca 2cca.c -lcrypto
Tested on:
- ArchLinux on Raspberry Pi -- openssl 1.0.2.e-1
- Debian on x64 -- openssl 1.0.2.e-1
On OSX you cannot use the system openssl libraries but you can substitue them by libressl, available from brew. I got it to compile with:
export LIBRE=/usr/local/opt/libressl
cc -I$(LIBRE)/include -L$(LIBRE)/lib -o 2cca 2cca.c -lcrypto
Brew says I am using version 2.3.1 of libressl.
What it does
2cca can generate certificates and keys for various roles. Supported roles are:
- Root CA: a self-signed Certification Authority
- Sub CA: a Certification Authority, signed by another CA
- OpenVPN server
- OpenVPN client
- Web server
Specify which kind of certificate you want to create and indicate which fields and properties are needed. A certificate file and key will be created in the local directory in PEM format.
Usage
Creating certificates follows the same syntax for all types of certificates:
2cca TYPE [properties]
TYPE Description
---- -----------
root Create a (self-signed) root CA certificate
sub Create a Subordinate CA certificate
server Create an OpenVPN server certificate
client Create an OpenVPN client certificate
www Create a Web server certificate
Certificate fields and properties are specified on the command line by specifying a list of key=value blocks. If the value contains blanks, surround the whole block with double or simple quotes. Supported keys and their meaning are:
Key Meaning Example Default
--- ------- ------- -------
O Organisation "O=ACME Inc" O=Home or root
C Country 2-letter code C=UK none
CN Common Name CN=MyServer same as TYPE
L Locality or City L=Munich none
ST State ST=Bavaria none
email Email email=root@example.com none
ca Signing CA ca=Sub ca=root
days Duration days=15 days=365
dns Host name dns=www.example.com none
The O field (Organization) defaults to O=Home for root and is always
inherited from the issuer.
The OU field (Organizational Unit) is automatically set by certificate
type:
Type OU
---- --
root OU=Root
sub OU=Sub
server OU=Server
client OU=Client
www OU=Server
File names
Certificate and key are saved in the current directory as CN.crt and CN.key, where CN is the requested Common Name. For client identities, a password-less P12 is also generated.
The default signing CA is named CN=root. If you change the root name (CN=xx) or want to use a specific CA for signature, use ca=NAME, where NAME is the CN for the CA you want to use. Example:
# Generate a root called MyROOT:
2cca root CN=MyROOT C=UK
-> Generates MyROOT.crt and MyROOT.key
# Generate a Sub CA called MySUB and sign it with MyROOT:
2cca sub ca=MyROOT CN=MySUB C=UK
-> Generates MySUB.crt and MySUB.key, signed by MyROOT
# Generate a client certificate for 'joe' and sign it with MySUB:
2cca client ca=MySUB CN=joe C=UK
-> Generates joe.crt, joe.key, joe.p12, signed by MySUB
# If you want to verify the chain with openssl:
cat MyROOT.crt MySUB.crt > bundle
openssl verify -CAfile bundle joe.crt
-> joe.crt: OK
Certificate Duration
Change certificate duration using days=xx where xx is in days from today. Default certificate duration is 3650 days. Example:
# Generate a client certificate for 15 days:
2cca client days=15 ca=MyROOT
Crypto Parameters
You can generate RSA keys by specifying a key size with rsa=xx Example:
Generate a root certificate with a 4096 RSA key:
2cca root rsa=4096
You can also generate elliptic-curve keys for clients and servers. Use ec=curve, where curve is one of the named curves supported by openssl. You can get a list of elliptic curves supported on your system by running:
openssl ecparam -list_curves
Examples:
# Generate a client cert with an ECC key with curve prime256v1
2cca client ec=prime256v1
The default hash function is sha256. There is currently no way to change this from the command-line.
Certificate Revocation Lists
Primitive CRL management is also offered. The two associated commands are:
2cca revoke NAME ca=xx
2cca crl ca=xx
You revoke a certificate by name, i.e. by CN, which also happens to be the base file name. To revoke joe's certificate issued by MySUB:
# Revoke joe issued by MySUB
2cca revoke joe ca=MySUB
You can review the CRL for a CA like this:
# See CRL for ca=MySUB
2cca crl ca=MySUB
-- Revoked certificates found in CRL
serial: 2CCA95D9A9F95BEE6C44564E0A514B45
date: Jan 19 22:04:51 2016 GMT
# Display the CRL using openssl
openssl crl -in MySUB.crl -text
Diffie-Hellmann Parameters
You can also generate Diffie-Hellmann parameters. Useful for OpenVPN setups.
# Generate DH-2048 parameters
2cca dh
Generating DH parameters (2048 bits) -- this can take long
done
It takes ages to generate these, and the command does not display any progress. You probably want to do it with OpenSSL. I just coded it for convenience when the openssl command is not present.
Complete Example
Starting from scratch, you want to first create a root (self-signed) CA. It will be named 'MyRoot', for a duration of 1000 days, have a 1024-bit RSA key, and be based in the UK.
2cca root CN=MyRoot days=1000 rsa=1024 C=UK
Check that you now have MyRoot.crt and MyRoot.key in the current directory.
You want two Sub-CAs then: one to handle OpenVPN servers and clients, and another one to handle WWW server certificates. Both are children of the root you just created.
# Generate the OpenVPN CA named 'VPNCA' for 900 days, 1024-bit RSA:
2cca sub CN=VPNCA days=900 rsa=1024 ca=MyRoot C=UK
# Generate the www server CA named 'WWWCA' for 500 days, 1024-bit RSA:
2cca sub CN=WWWCA days=500 rsa=1024 ca=MyRoot C=UK
You now have VPNCA.[crt|key] and WWWCA.[crt|key] in the current directory.
Let us now issue client and server certificates for OpenVPN with the appropriate CA. We will use 512-bit RSA keys and set a validity period of one year for the server, and two weeks for the client.
# Generate a cert for server named 'vpn-server' for 365 days, 512-bit RSA:
2cca server ca=VPNCA days=365 CN=vpn-server rsa=512 C=UK
# Generate a cert for a client named 'joe' for 15 days, 512-bit RSA:
2cca client ca=VPNCA days=15 CN=joe rsa=512 C=UK
You can now install vpn-server.[crt|key] in the appropriate places and send the client credentials to Joe: either send joe.[crt|key] or joe.p12
Let us issue a web server certificate for a server named 'www.example.com' for a duration of one year, with a 2048-bit RSA key:
# Generate a web server certificate
2cca www ca=WWWCA days=365 rsa=2048 CN=www.example.com dns=www.example.com
Check that you have files called www.example.com.[crt|key] in the current directory.
You can also issue certificates that arte valid for multiple domains or joker certificates by issuing several dns= properties on the command-line. Example:
# Generate a certificate for *.dom1.abc and *.dom2.abc
2cca www ca=WWWCA "dns=*.dom1.abc" "dns=*.dom2.abc"
Warnings
There is no database of issued certificates to maintain because they use 128-bit serial numbers, thus are already unique without having to remember an increasing index.
There is absolutely no key protection whatsoever. You are in charge of protecting the .key files as you need. For personal VPNs this is not really an issue, but for something in need of security you probably want to import keys into smart cards. This is meant to replace easy-rsa, not a full-fledged PKI.
-- nicolas314 - 2016-January