Certificate tool for Sysadmins


Keywords
x509, tls, ssl, certificate, authority, command-line, server, authentication
License
ISC
Install
pip install sysca==2.0

Documentation

SysCA - Certificate tool for Sysadmins

Description

Easy-to-use command-line tool for certificate management.

Features

  • Simple command-line UI.
  • Good defaults, sets up common extensions automatically.
  • PGP- and password-protected private keys.
  • OCSP and CRL info settings.
  • Supports EC, RSA and DSA keys.

Dependencies

  • Python cryptography module (version >= 2.1).
  • (Optional) gpg command-line tool to decrypt files.

Summary

Generate new key:

sysca new-key              [--password-file TXT_FILE] [--out DST]
sysca new-key ec[:<curve>] [--password-file TXT_FILE] [--out DST]
sysca new-key rsa[:<bits>] [--password-file TXT_FILE] [--out DST]
sysca new-key dsa[:<bits>] [--password-file TXT_FILE] [--out DST]

Create certificate signing request:

sysca request --key KEY_FILE [--password-file TXT_FILE]
              [--subject DN] [--san ALTNAMES]
              [--CA] [--path-length DEPTH]
              [--usage FLAGS] [--ocsp-url URLS] [--crl-url URLS]
              [--issuer-cert-url URLS]
              [--out CSR_FN]

Create selfsigned certificate:

sysca selfsign --key KEY_FILE --days N [--password-file TXT_FILE]
              [--subject DN] [--san ALTNAMES]
              [--CA] [--path-length DEPTH]
              [--usage FLAGS] [--ocsp-url URLS] [--crl-url URLS]
              [--issuer-cert-url URLS]
              [--out CRT_FN]

Sign certificate signing request:

sysca sign --ca-key KEY_FILE --ca-info CRT_FILE
           --request CSR_FILE --days NUM
           [--out CRT_FN] [--password-file TXT_FILE]
           [--reset ...]

Create or update CRL file:

sysca update-crl [--crl CRL_FILE] [--out CRT_FN]
           --ca-key KEY_FILE --ca-info CRT_FILE [--password-file TXT_FILE]
           --days NUM [--crl-number NUM] [--delta-crl-number NUM]
           [--reason REASON_NAME]
           [--revoke-cert CERT_FILE] ...
           [--revoke-serial SERIAL] ...

Display contents of CRT, CSR or CRL file:

sysca show FILE

Commands

new-key

Generate new key.

Takes key type as optional argument. Value can be either ec:<curve>, rsa:<bits> or dsa:<bits>. Shortcuts: ec is ec:secp256r1, rsa is rsa:2048, dsa is dsa:2048. Default: ec.

Suggested curves for EC: secp256r1, secp384r1, secp521r1, ed25519.

Options:

--password-file FILE
Password will be loaded from file. Can be PGP-encrypted. Resulting private key will be encrypted with this password.
--out DST_FN
Target file to write key to. It's preferable to write to stdout and encrypt with GPG.
--outform PEM|DER
Output file format. PEM is textual format, DER is binary. Default: PEM.

request

Create certificate signing request (CSR).

Options:

--out CSR_FILE
Target file to write Certificate Signing Request to.
--outform PEM|DER
Output file format. PEM is textual format, DER is binary. Default: PEM.
--key KEY_FILE
Private key file to create request for. Can be PGP-encrypted. Can be password-protected.
--password-file FN
Password file for private key. Can be PGP-encrypted.
--subject DN

Subject's DistinguishedName which is X509 Name structure, which is collection of key-value pairs.

Each pair is separated with "/", key and value are separated with "=". Surrounding whitespace around both "/" and "=" will be stripped. "\" can be used for escaping.

Most important field: CN=commonName.

Common fields: O=organizationName, OU=organizationalUnit, C=countryName, L=locality, ST=stateOrProvinceName.

Less common fields: SN=surname, GN=givenName, T=title, P=pseudonym, SA=streetAddress.

Example: --subject "/CN=www.example.com/ O=My Company / OU = DevOps"

Default: empty.

Certificate field: Subject.

--CA

The certificate will have CA rights - that means it can sign other certificates.

Extension: BasicConstraints.

--path-length

Applies only for CA certs - limits how many levels on sub-CAs can exist under generated certificate. Default: Undefined.

Extension: BasicConstraints.

--san ALT_NAMES

Specify alternative names for subject as list of comma-separated strings, that have prefix that describes data type.

Supported prefixes:

dns
Domain name.
email
Email address. Plain addr-spec (local_part @ domain) is allowed here, no <> or full name.
ip
IPv4 or IPv6 address.
uri
Uniform Resource Identifier.
dn
DirectoryName, which is X509 Name structure. See --subject for syntax.

Example: --san "dns: *.example.com, dns: www.foo.org, ip: 127.0.0.1 "

Extension: SubjectAlternativeName.

Options useful only when apps support them:

--usage USAGE_FLAGS

Comma-separated keywords that set KeyUsage and ExtendedKeyUsage flags.

ExtendedKeyUsage flags, none set by default.

client
TLS Web Client Authentication.
server
TLS Web Server Authentication.
code
Code signing.
email
E-mail protection.
time
Time stamping.
ocsp
OCSP signing.
any
All other purposes too that are not explicitly mentioned.

KeyUsage flags, by default CA certificate will have key_cert_sign and crl_sign set, non-CA certificate will have digital_signature and key_encipherment set but only if no --usage was given by user.

digital_signature
Allowed to sign anything that is not certificate for key.
key_agreement
Key is allowed to use in key agreement.
key_cert_sign
Allowed to sign certificates for other keys.
crl_sign
Allowed to sign certificates for certificate revocation lists (CRLs).
key_encipherment
Secret keys (either private or symmetric) can be encrypted against public key in certificate. Does not apply to session keys, but standalone secret keys?
data_encipherment
Raw data can be encrypted against public key in certificate. [Bad idea.]
content_commitment
Public key in certificate can be used for signature checking in "seriously-i-mean-it" environment. [Historical.]
encipher_only
If key_agreement is true, this flag limits use only for data encryption.
decipher_only
If key_agreement is true, this flag limits use only for data decryption.
--ocsp-nocheck

Disable OCSP checking for this certificate. Used for certificates that sign OCSP status replies.

Extension: OCSPNoCheck.

--ocsp-must-staple

Requires that TLS handshake must be done with stapled OCSP response using status_request protocol.

Extension: OCSPMustStaple.

--ocsp-must-staple-v2

Requires that TLS handshake must be done with stapled OCSP response using status_request_v2 protocol.

Extension: OCSPMustStapleV2.

--crl-url URLS

List of URLs where certificate revocation lists can be downloaded.

Extension: CRLDistributionPoints.

--ocsp-url URLS

List of URL for OCSP endpoint where validity can be checked.

Extension: AuthorityInformationAccess.

--issuer-url URLS

List of URLS where parent certificate can be downloaded, in case the parent CA is not root CA. Usually sub-CA certificates should be provided during key-agreement (TLS). This setting is for situations where this cannot happen or for fallback for badly-configured TLS servers.

Extension: AuthorityInformationAccess.

--exclude-subtrees NAME_PATTERNS
Disallow CA to sign subjects that match patterns. See --permit-subtrees for details.
--permit-subtrees NAME_PATTERNS

Allow CA to sign subjects that match patterns.

Specify patters for subject as list of comma-separated strings, that have prefix that describes data type.

Supported prefixes:

dns
Domain name.
email
Email address. Plain addr-spec (local_part @ domain) is allowed here, no <> or full name.
net
IPv4 or IPv6 network.
uri
Uniform Resource Identifier.
dn
DirectoryName, which is X509 Name structure. See --subject for syntax.

Extension: NameConstraints.

--inhibit-any N

Disallow special handling of any policy (2.5.29.32.0) after N levels.

Extension: InhibitAnyPolicy.

--require-explicit-policy N

Require explicit certificate policy for whole path after N levels.

Extension: PolicyConstraints.

--inhibit-policy-mapping N

Disallow policy mapping processing after N levels.

Extension: PolicyConstraints.

--add-policy OID:SPECS

Add another PolicyInformation record to certificate with optional qualifiers.

Usage:

--add-policy OID
Just add OID alone. Recommended usage.
--add-policy OID:SPEC,SPEC
Add policy OID with one or more qualifiers.

Qualifier spec for URI pointer to CPS (Certification Practice Statement): |P=URI|

Qualifier spec for UserNotice with explicitText and noticeRef: |T=explicit_text|O=orgName|N=1:2:3|

Extension: CertificatePolicies.

sign

Create signed certificate based on data in request. Any unsupported extensions in request will cause error.

It will add SubjectKeyIdentifier and AuthorityKeyIdentifier extensions to final certificate that help to uniquely identify both subject and issuers public keys. Also IssuerAlternativeName is added as copy of CA cert's SubjectAlternativeName extension if present.

Options:

--out CRT_FILE
Target file to write certificate to.
--outform PEM|DER
Output file format. PEM is textual format, DER is binary. Default: PEM.
--days NUM
Lifetime for certificate in days.
--request CSR_FILE
Certificate request file generated by request command.
--ca-key KEY_FILE
CA private key file. Can be PGP-encrypted. Can be password-protected.
--ca-info CRT_FILE
CRT file generated by request command. Issuer CA info will be loaded from it.
--password-file FN
Password file for CA private key. Can be PGP-encrypted.
--reset
Do not use any info fields from CSR, reload all info from command line. Without it, all info from CSR is kept and command line is ignored.

selfsign

This commands takes same arguments as request plus --days NUM. Preferable to use with --CA and --usage options.

update-crl

Creates or updates Certificate Revocation List file.

CRL file can be either full or delta:

full
Contains full set of revoked certificates. Options: --crl-number=CUR
delta
Contains only certificates missing from older CRL version. Options: --delta-crl-number=OLD --crl-number=CUR

CRL file can be either direct or indirect:

direct
All revoked certificates belong to signer that issues CRL.
indirect
Revoked certificates contain reference to actual CA that issued. Set with option: --indirect-crl.

Options for CRL itself:

--crl FN
Load existing file. Version numbers are reused unless overrided on command line.
--out FN
Write output to file.
--outform PEM|DER
Output file format. PEM is textual format, DER is binary. Default: PEM.
--days NUM
Set period that this CRL is valid.
--ca-key KEY_FILE
CA private key file. Can be PGP-encrypted. Can be password-protected.
--ca-info CRT_FILE
CA certificate used for signing.
--crl-number VER

Version number for main CRL.

Extension: CRLNumber.

--delta-crl-number VER

Version number of prevous CRL that this delta is from.

Extension: DeltaCRLNumber.

--crl-scope SCOPE

CRL scope, one of: all, user, ca, attr. Default: all

This flags shows that CRL contains only specific types of certificates.

all
All types. Default.
user
Only user certificates.
ca
Only CA certificates.
attr
Only attribute certificates.

Extension: CRLIssuingDistributionPoint.

--indirect-crl

CRL list can contain revoked certificates not issued by CRL signer.

Extension: CRLIssuingDistributionPoint.

--issuer-urls URLS

Override issuer URLs. Default: taken from signer certificate.

Extension: CRLAuthorityInformationAccess.

Options for adding entries:

--revoke-certs FN [FN ...]
Filenames of certificates to add.
--revoke-serials NUM [NUM ...]
Certificate serial numbers to add.
--reason REASON

Revocation reason. Used for all entries added in one command. One of:

key_compromise
Private key compromise.
ca_compromise
CA key compromise.
affiliation_changed
Current certificate is obsolete. Another CA is being responsible.
superseded
Current certificate is obsolete. New certificate has been issued.
cessation_of_operation
Current certificate is obsolete. CA shut down.
privilege_withdrawn
Certificate attributes are not valid anymore.
aa_compromise
Provider of attributes to certificate has been compromised.
certificate_hold
Temporary entry, actual reason will follow later.
remove_from_crl
Certificate should not be in CRL anymore.
unspecified
Default, means no reason has been provided.

Extension: CRLReason.

--invalidity-date DATE

Consider certificate invalid from date. Optional, if missing revocation date is used.

Extension: CRLInvalidityDate.

show

Display contents of CSR or CRT file.

list

Output values for various parameters.

list ec-curves
Show supported safe curves. Needs --unsafe flag to show all supported curves.
list name-fields
Show keywords usable in name fields.

export

Reads and outputs file again. Useful for converting key formats.

Options:

--out FN
Write output to file.
--outform PEM|DER
Output file format. PEM is textual format, DER is binary. Default: PEM.
--password-file FN
Password file for CA private key. Can be PGP-encrypted.

export-pub

Reads certificate, certificate request or private key file and outputs it's public key.

Options:

--out FN
Write output to file.
--outform PEM|DER
Output file format. PEM is textual format, DER is binary. Default: PEM.
--password-file FN
Password file for CA private key. Can be PGP-encrypted.

Private Key Protection

Private keys can be stored unencryped, encrypted with PGP, encrypted with password or both. Unencrypted keys are good only for testing. Good practice is to encrypt both CA and end-entity keys with PGP and use passwords only for keys that can be deployed to servers with password-protection.

For each key, different set of PGP keys can be used that can decrypt it:

$ sysca new-key | gpg -aes -r "admin@example.com" -r "backup@example.com" > CA.key.gpg
$ sysca new-key | gpg -aes -r "admin@example.com" -r "devops@example.com" > server.key.gpg

Example

Self-signed CA example:

$ sysca new-key | gpg -aes -r "admin@example.com" > TestCA.key.gpg
$ sysca selfsign --key TestCA.key.gpg --subject "/CN=TestCA/O=Gov" --CA > TestCA.crt

Sign server key:

$ sysca new-key | gpg -aes -r "admin@example.com" > Server.key.gpg
$ sysca request --key Server.key.gpg --subject "/CN=web.server.com/O=Gov" > Server.csr
$ sysca sign --days 365 --request Server.csr --ca-key TestCA.key.gpg --ca-info TestCA.crt > Server.crt

Critical extensions

SysCA does not allow tuning of critical extension flag, following extensions are always set as critical when added to certificate:

All other added extensions will be non-critical.

Compatibility notes

Although SysCA allows to set various extension parameters, that does not mean any software that uses the certificates actually looks or acts on the extensions. So it's reasonable to set up only extensions that are actually used.