1.2 KiB
Certificate signing service
An ACME-like shell server certificate signing service.
A service that listens on a unix domain socket and signs certificate signing requests. It verifies the CSR's subject corresponds to the username of the peer. If a user tries to get a certificate for another user the request will be rejected. It will also add an email address as the SubjectAltName. This is for client certificates.
Motivation
This was written with hashbang.sh in mind - a open registration shell server. SSH keys are used for authenticating with hashbang.sh machines, but users might want to connect to services using TLS or send signed and/or encrypted email.
Design
The server cert-service-server loads up a certificate authority and listens on a socket.
A client cert-service-client can connect to this socket and make a signing request.
Using SO_PEERCRED the server decides if the client is allowed to have its certificate signed.
The peers communicate using a custom protocol based on ASN.1.
This is a proof of concept put together in an evening. The quality of the code reflects that.