[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [MirageOS-devel] csrs and self-signed certs for TLS
I've made a simple command-line tool that generates self-signed certs and private keys with nocrypto 0.4.0 and the current trunk of x509, which I'll be releasing shortly; I'll expand it to build CSRs with your branch as well. Cheers, Mindy On 06/15/2015 02:32 PM, Hannes Mehnert wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 On 06/12/2015 10:10, Mindy wrote:We don't have a nice way to generate certificate signing requests or self-signed certificates ourselves yet, right? I'm writing up a thing on getting HTTPS up and running with mirage-seal and those are places where I have to say "invoke openssl or your favorite alternative, but we got nothin' for you". If I'm incorrect, I'd appreciate a pointer on where to go looking. :)While there is not yet any command-line tool, there is support for creating and signing certificate signing requests on a branch [0]: ```` let write filename data = Lwt_unix.openfile filename [Unix.O_WRONLY ; Unix.O_CREAT] 0o400= fun fd ->Lwt_unix.write fd (Cstruct.to_string data) 0 (Cstruct.len data)= fun l ->assert (l = Cstruct.len data) ; Lwt_unix.close fd in let create_key filename = (* initialise our Rng *) Nocrypto_entropy_lwt.initialize () >>= fun () -> (* generate RSA private key *) let key = `RSA (Nocrypto.Rsa.generate 2048) in (* dump to disk *) let pem = X509.Encoding.Pem.Private_key.to_pem_cstruct1 key in write filename pem >|= fun () -> key in let create_signing_request ?extensions filename name priv = let extensions = match extensions with | None -> [] | Some x -> [`Extensions x] in let csr = X509.CA.generate name ~extensions priv in let pem = X509.Encoding.Pem.Certificate_signing_request.to_pem_cstruct1 csr in write filename pem >|= fun () -> csr in let sign_request filename ?extensions req priv = let cert = X509.CA.sign req ?extensions priv [ `CN "authority" ] in let pem = X509.Encoding.Pem.Cert.to_pem_cstruct1 cert in write filename pem >|= fun () -> cert in create_key "server.key" >>= fun key -> let name = [`CN "mirage.io"] in let extensions = [(false, `Key_usage [ `Digital_signature ; `Data_encipherment ]) ; (true, `Basic_constraints (false, None)) ; (false, `Subject_alt_name [ `DNS "mirage.io" ; `DNS "www.mirage.io" ])] in create_signing_request "server.csr" ~extensions name key >>= fun csr -> sign_request "server.pem" ~extensions csr key ```` This code snippet will generate a certificate request server.csr (which can be submitted to a certificate authority) self-signed certificate server.pem (valid for a single day, using SHA256 as digest algorithm) and private key server.key. There are certainly some rough edges... e.g. `sign` does not respect the proposed extensions of the signing request (to run a CA, a policy is needed here: who is allowed to add which extensions, and how to overwrite them; otherwise clients can easily request certificates which are valid as certificate authorities)... Hannes 0: https://github.com/mirleft/ocaml-x509/tree/naming -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCQAGBQJVftPVAAoJELyJZYjffCjuWPsP/1DC3oSLGXZNXFKlceaSIApQ 6lit8TdL3YTBTMX2PB4acgo57PDCBQjV0Fo8CgKQ9/C7ORhMdt7iCAbmRDKNCBqu tgIUOpkvOVzg+kRx0e8QA/IedHhkrdB7fjKhJJOaIzGr2dKGUaAwKB7XLdRx9VbM 2gfAyhwOIDcITRexOiK9UkMVhYSxuVe0M9mTGePdM0Aajhzkg0jVcn0L5belcOBv 0/DNLH1aZ2gvXGP63/TOWi71tIZqVVbCVdCVvfXO4r7SKZ7kasfMCT7YpF6TWBA3 O8SGoJM/FzSTRGhSSsEe80rzE4rdQQPogtvBIr+v40Hr8gddCZftqb2xEkCFFwUt vH8BeBllUF1JeyvNAWb4S9AN8lO8y3u6p7i4qK5moNMeKdDJmosNtGqxHAhbePpJ HBazMK6p1uqG753vLLFKBLNmrQwyRoGF+lK2DHGk4MTijxXPv96+T1xaaoEdSB8/ Tfb550efq8zdB0NGXvjA85S+OHSdNAIwHek7zK2MePTqTZkit+7wg9nLcOo+G0UH pVhIi4wiaL/5+pvmy0LM1fmOOtlyp/AQlgXy9A3BQ9nRo+LuUc+GB2gGHdXGm9p4 O2B47I79tkVq20/M/tZyt2QZAPTB1uFIa3zJhKfUt4lSfeY9OScCBidtDDxwxgd9 0lNf3hZgo0vT9ZDL6R6r =jihz -----END PGP SIGNATURE----- _______________________________________________ MirageOS-devel mailing list MirageOS-devel@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel _______________________________________________ MirageOS-devel mailing list MirageOS-devel@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |