2024-12-31-cas
- Read about OpenSSL and certificates.
- Tested Cerfiticate Authorities
The following are CLI CA's. There are other Server based implementtions, with API's.https://github.com/lipixun/pyca (Python)- Should be hackable
- Uses openssl commands
- Does not support intermediate certs
- Error handling is terrible
- Python2 (2to3 works partially)
- https://github.com/radiac/caman (Shell)
- Supports intermediate certs
https://github.com/jsha/minica (Go Lang)
- Because we want to also encode permissions in the certificates, maybe we
need to do our own thing.
- https://gist.github.com/soarez/9688998 : Without intermediate certs, but with extensions handling.
- Other references
- OpenSSL Creating a Certificate Authority (CA): https://node-security.com/posts/openssl-creating-a-ca/
- Creating a browser trusted self-signed SSL certificate: https://medium.com/@tbusser/creating-a-browser-trusted-self-signed-ssl-certificate-2709ce43fd15
- Create Your Own SSL Certificate Authority for Local HTTPS Development: https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
- How to Be Your Own Certificate Authority: https://www.wikihow.com/Be-Your-Own-Certificate-Authority
- How to Create Trusted Self-Signed SSL Certificates and Local Domains for Testing: https://betterprogramming.pub/trusted-self-signed-certificate-and-local-domains-for-testing-7c6e6e3f9548
- OpenSSL Certificate Authority: https://jamielinux.com/docs/openssl-certificate-authority/introduction.html
- Other tips: https://klyr.github.io/posts/various_reminders_about_openssl_and_certificates/
- Extensions: https://www.openssl.org/docs/man3.0/man5/x509v3_config.html
Can we find a good place to add our date in here? - Manpages:
- Tested Cerfiticate Authorities
openssl req -new -subj "/C=GB/CN=foo" \
-addext "subjectAltName = DNS:foo.co.uk" \
-addext "certificatePolicies = 1.2.3.4" \
-newkey rsa:2048 -keyout key.pem -out req.pem
After giving it some thought, it is bad idea to store "permissions" in the certificate. This is because, you can't change permissions on a certificate after it has been issued. You will need to re-issue the certificate.
Maybe, it would be better, to only store the identity, and use a permissions file either statically or on a server, to figure out if they are authorized to perform that action.
That way, if you need to change permissions, you change the static file, or better, you change a permissions (authorization) server.