Add README.md
This commit is contained in:
parent
9690ef010f
commit
fa9fcd174e
22
README.md
Normal file
22
README.md
Normal file
|
|
@ -0,0 +1,22 @@
|
||||||
|
# Certificate signing service
|
||||||
|
|
||||||
|
An ACME-like shell server certificate signing service.
|
||||||
|
|
||||||
|
A service that listens on a unix domain socket and signs certificate signing requests.
|
||||||
|
It verifies the CSR's subject corresponds to the username of the peer.
|
||||||
|
If a user tries to get a certificate for another user the request will be rejected.
|
||||||
|
It will also add an email address as the SubjectAltName.
|
||||||
|
This is for client certificates.
|
||||||
|
|
||||||
|
## Motivation
|
||||||
|
|
||||||
|
This was written with hashbang.sh in mind - a open registration shell server.
|
||||||
|
SSH keys are used for authenticating with hashbang.sh machines, but users might want to connect to services using TLS or send signed and/or encrypted email.
|
||||||
|
|
||||||
|
## Design
|
||||||
|
|
||||||
|
The server `cert-service-server` loads up a certificate authority and listens on a socket.
|
||||||
|
A client `cert-service-client` can connect to this socket and make a signing request.
|
||||||
|
Using `SO_PEERCRED` the server decides if the client is allowed to have its certificate signed.
|
||||||
|
|
||||||
|
The peers communicate using a custom protocol based on [ASN.1](https://en.wikipedia.org/wiki/ASN.1).
|
||||||
Loading…
Reference in a new issue