EN|JA
Simple script to manage user certs to be used for client certification on the restricted websites.
It sets up self-signed CA and generates client certs per user.
- OpenSSL
- Web server (such as apache)
$ make
$ sudo make installVariables available on make:
CA_ROOT- where certs are stored at- default:
/etc/privcert
- default:
OPENSSL- openssl executable path- default: (auto detected)
MD5SUM- md5sum executable path- default: (auto detected)
BASE64- base64 executable path- default: (auto detected)
DN_BASE- prefix to X.509 DN- default:
/C=JP/ST=Tokyo/O=Your Company - requires C, ST and O
- must omit CN and emailAddress (to be set individually)
- default:
EXTRACT_PWD- password to extract user cert on install- default:
privcert
- default:
CERT_NAME- default name of user cert- default:
PrivCert - recommended to set the site name
- default:
UPDATE_HOOK- hook to reconfigure web server- default:
apachectl restart(with auto detected executable path)
- default:
KEYLEN- default key length in bits- default:
2048 - can be overridden by
-loption
- default:
EXPIRE- default certs expiration in days- default:
3650(≒10yr) - can be overridden by
-eoption
- default:
Variables available on make install:
PREFIX- install prefix- default:
/usr/local
- default:
BINDIR- where executables are installed at- default:
$(PREFIX)/sbin
- default:
Also DESTDIR, useful when making packages, available.
First, initialize the environment and generate self-signed cert for local CA:
Note
On most systems, privcert executable installed in /usr/local/sbin is not found under sudo due to overridden $PATH for security reasons.
So consider adding -i option to bring $PATH from root environment.
$ sudo -i privcert initA piece to be set to the ssl configuration will be displayed after initialization.
Then, input password for server mode twice.
Note
If omit password or failed to set password, retry init to initialize password.
Once initialized password, try sudo -i privcert passwd to update.
Set displayed piece on the ssl configuration of your web server.
For Apache, append below to the VirtualHost directive in ssl.conf:
Note
ssl.conf would be found under /etc/httpd/conf.d on RHEL or compatible system.
It might have other location or filename, for example, default-ssl.conf under /etc/apache2/sites-available on Ubuntu or Debian variants.
SSLCACertificateFile /etc/privcert/ca/cert.pem
SSLVerifyClient optional
SSLVerifyDepth 10
SSLCARevocationCheck leaf
SSLCARevocationFile /etc/privcert/ca/crl.pem
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Your Company"The value in SSLRequire should be changed to O value of DN specified in DN_BASE, from the default of "Your Company".
Anyway, just copy the displayed piece of the configuration.
Note
In addition, might already have specified SSLCertificateFile and SSLCertificateKeyFile to enable SSL with an appropriate server cert.
Update apache configuration to make those valid:
$ sudo apachectl restartNow the site is not accessible until installing the client cert signed by this ca.
To use with web interface, register privcert as a service and modify some configuration after setup the webapp.
See web/README.md for more details.
$ sudo -i privcert make u̲s̲e̲r̲ [c̲n̲] [e̲m̲a̲i̲l̲]To make the site accessible, import the cert file generated at /etc/privcert/users/u̲s̲e̲r̲.pfx into the environment of the user.
Ordinary, just double-click or tap that file to import into the system cert store, or, on some environments, might need to import from the cert management menu of the browser.
The fixed password set on EXTRACT_PWD, default to be privcert, is necessary.
Web interface should be useful to distribute certs.
$ sudo -i privcert listIt shows only certs just under /etc/privcert/users, which should hold only valid ones.
$ sudo -i privcert revoke u̲s̲e̲r̲Revoked cert is added to certificate revocation list (crl.pem), so the client with the cert could no longer access.
And the cert is moved to /etc/privcert/trash.
- Server certificate (to use with VPN server)
- Update CA cert (necessary?)
Copyright (c)2024-2025 Shun-ichi TAHARA <jado@flowernet.jp>
Provided under MIT license, with the exception of third-party/getoptions directory, which is appropriated from ko1nksm/getoptions of CC0.