Go to file
2020-12-09 22:11:20 +01:00
bin Initial commit 2020-12-09 20:28:07 +01:00
lib Initial commit 2020-12-09 20:28:07 +01:00
cert_service.opam Initial commit 2020-12-09 20:28:07 +01:00
dune-project Initial commit 2020-12-09 20:28:07 +01:00
README.md Add hashbang.sh url 2020-12-09 22:11:20 +01:00

Certificate signing service

An ACME-like shell server certificate signing service.

A service that listens on a unix domain socket and signs certificate signing requests. It verifies the CSR's subject corresponds to the username of the peer. If a user tries to get a certificate for another user the request will be rejected. It will also add an email address as the SubjectAltName. This is for client certificates.

Motivation

This was written with hashbang.sh in mind - a open registration shell server. SSH keys are used for authenticating with hashbang.sh machines, but users might want to connect to services using TLS or send signed and/or encrypted email.

Design

The server cert-service-server loads up a certificate authority and listens on a socket. A client cert-service-client can connect to this socket and make a signing request. Using SO_PEERCRED the server decides if the client is allowed to have its certificate signed.

The peers communicate using a custom protocol based on ASN.1.

This is a proof of concept put together in an evening. The quality of the code reflects that.