Gitiles
Code Review Sign In
gerrit.opencord.org / onfca / ec61381b0991fc31466c3a6f6d52d814110ad334
commitec61381b0991fc31466c3a6f6d52d814110ad334[log] [tgz]
authorZack Williams <zdw@opennetworking.org>Mon Nov 09 15:49:29 2020 -0700
committerZack Williams <zdw@opennetworking.org>Mon Apr 04 23:29:53 2022 -0700
tree4bf8a82dc19c860442d7d4f9536ef1f8bec8a097
parent4ee5ecdf29c2dbabbcb4c5c5fa30d4563c7d45f9 [diff]
Initial onfca commit

Updated help target in Makefile
Reworked for IM CAs
Added CRL handling
Added docs/references

Change-Id: I2b1eb541464c157d3626bbe4a6cf7db78c2af533
7 files changed
tree: 4bf8a82dc19c860442d7d4f9536ef1f8bec8a097
  1. .gitignore
  2. .reuse/
  3. LICENSES/
  4. Makefile
  5. README.md
  6. VERSION
  7. pki.cnf
README.md

ONF Certificate Generation

Generates certificates and a PKI hierarchy, using a Makefile to drive the process. Please read through the variables at the top of the Makefile to learn how to gnerate artifacts. Also please look at the pki.cnf, which is an OpenSSL configuration file used to configure the process.

This Makefile will generate a 3-deep heirarchy of certificates:

root CA -> intermediate CA -> leaf

Note that also CRLs are generated, as well as "chain" (containing Root CA and IM CA) and "bundle" (containing IM CA and Leaf) versions of generated certs.

Requirements

This repo requires the following tools to work correctly

  • GNU make
  • openssl

Generating PKI artifacts

Create a root CA Cert:

ROOT_CA_PASSPHRASE="<password>" make onf_pki/root_ca/ca.pem

Create an IM CA Cert:

IM_CA_PASSPHRASE="<password>" make onf_pki/im_ca/ca.pem

Create a server leaf cert (issued from IM CA):

LEAF_SAN="DNS:server.example.com" make onf_pki/certout/server.example.com.pem

Create a client leaf cert (issued from IM CA):

LEAF_PURPOSE=client_cert_ext LEAF_SAN="email:username@example.com" make onf_pki/certout/username.pem

Test that keys are valid for purpose:

LEAF_KEYPAIR=server.example.com make valid_server
LEAF_KEYPAIR=username make valid_client

Revoking a leaf certificate

LEAF_KEYPAIR=server.example.com make revoke_leaf

Testing mTLS against a webserver using curl

This command uses the CA root, client key/cert to connect to a remote webserver

curl -v --cacert bundle.pem --key client.key --cert client.pem https://server:port/path

If you want to test an IP address that doesn't resolve with DNS but test the SAN, use:

curl -v --cacert ca.pem --key client.key --cert client.pem \
  --resolve "server:port:<ip address>" https://server:port/path

References

https://pki-tutorial.readthedocs.io/en/latest/index.html https://www.keylength.com/

Application support

http://nginx.org/en/docs/http/configuring_https_servers.html https://ipxe.org/crypto

ToDo

Implement Eliptic curves: