Submit signing request

Hi, {{user}}

Request submission is allowed from: {% if ca.request_subnets %}{% for i in ca.request_subnets %}{{ i }} {% endfor %}{% else %}anywhere{% endif %}

Autosign is allowed from: {% if ca.autosign_subnets %}{% for i in ca.autosign_subnets %}{{ i }} {% endfor %}{% else %}nowhere{% endif %}

Authority administration is allowed from: {% if ca.admin_subnets %}{% for i in ca.admin_subnets %}{{ i }} {% endfor %}{% else %}anywhere{% endif %}

Authority administration allowed for: {% for i in ca.admin_users %}{{ i }} {% endfor %}

IPsec gateway on OpenWrt

opkg update
opkg install strongswan-default curl openssl-util
modprobe authenc

Generate key and submit using standard shell tools:

CN=$(cat /proc/sys/kernel/hostname)
curl {{request.url}}/certificate/ > /etc/ipsec.d/cacerts/ca.pem
openssl genrsa -out /etc/ipsec.d/private/$CN.pem 4096
chmod 0600 /etc/ipsec.d/private/$CN.pem
openssl req -new -sha256 -key /etc/ipsec.d/private/$CN.pem -out /etc/ipsec.d/reqs/$CN.pem -subj "{% if s.C %}/C={{s.C}}{% endif %}{% if s.ST %}/ST={{s.ST}}{% endif %}{% if s.L %}/L={{s.L}}{% endif %}{% if s.O %}/O={{s.O}}{% endif %}{% if s.OU %}/OU={{s.OU}}{% endif %}/CN=$CN"
curl -L -H "Content-Type: application/pkcs10" --data-binary @/etc/ipsec.d/reqs/$CN.pem {{request.uri}}/request/?autosign=1\&wait=30 > /etc/ipsec.d/certs/$CN.pem.part
if [ $? -eq 0 ]; then mv /etc/ipsec.d/certs/$CN.pem.part /etc/ipsec.d/certs/$CN.pem; fi
openssl verify -CAfile /etc/ipsec.d/cacerts/ca.pem /etc/ipsec.d/certs/$CN.pem

Inspect newly created files:

openssl x509 -text -noout -in /etc/ipsec.d/cacerts/ca.pem
openssl x509 -text -noout -in /etc/ipsec.d/certs/$CN.pem
openssl rsa -check -in /etc/ipsec.d/private/$CN.pem

Assuming you have Certidude installed

certidude setup client {{request.url}}

To set up OpenVPN server

certidude setup openvpn server {{request.url}}

Or to set up OpenVPN client

certidude setup openvpn client {{request.url}}

Pending requests

{% for j in ca.get_requests() %}
• Fetch {% if j.signable %} Sign {% else %} Sign {% endif %} Delete
  {% include 'iconmonstr-certificate-15-icon.svg' %} {{j.distinguished_name}}
  {% if j.email_address %}
  {% include 'iconmonstr-email-2-icon.svg' %} {{ j.email_address }}
  {% endif %}
  {% include 'iconmonstr-key-2-icon.svg' %} {{ j.fingerprint() }} {{ j.key_length }}-bit {{ j.key_type }}
  {% set key_usage = j.key_usage %} {% if key_usage %}
  {% include 'iconmonstr-flag-3-icon.svg' %} {{j.key_usage}}
  {% endif %}
{% else %}
• Great job! No certificate signing requests to sign.
{% endfor %}

Signed certificates

You can fetch a certificate by common name signing the request

curl -f {{request.url}}/signed/$CN > $CN.crt

{% for j in ca.get_signed() | sort | reverse %}
• Fetch Revoke
  {% include 'iconmonstr-certificate-15-icon.svg' %} {{j.distinguished_name}}
  {% if j.email_address %}
  {% include 'iconmonstr-email-2-icon.svg' %} {{ j.email_address }}
  {% endif %}
  {% include 'iconmonstr-key-2-icon.svg' %} {{ j.fingerprint() }} {{ j.key_length }}-bit {{ j.key_type }}
  {% include 'iconmonstr-flag-3-icon.svg' %} {{j.key_usage}}
{% endfor %}

Revoked certificates

To fetch certificate revocation list:

curl {{request.url}}/revoked/ | openssl crl -text -noout

{% for j in ca.get_revoked() %}
• {{j.changed}} {{j.serial_number}} {{j.distinguished_name}}
{% else %}
• Great job! No certificate signing requests to sign.
{% endfor %}