easy-rsa alternative
Posted on 2015-December-30 in programming
Glad to announce that 2cca, the two-cent Certification Authority has now been ported to pure C with libcrypto (openssl) as single dependency. The goal was to make it available on openwrt as it seems pyopenssl is not available on this platform -- without a lot of efforts.
As always, I swear this is the last time I ever link one of my sources against OpenSSL... until a replacement is made available.
Back to the point: you can now generate a Root CA, server, and client certificates to use with OpenVPN, with a couple of commands.
Download it from here:
https://github.com/nicolas314/2cca
Compile it with:
cc -o 2cca 2cca.c -lcrypto
Generate a root with e.g.:
2cca root O=Home CN=MyRootCA C=FR L=Paris email=postmaster@example.com
Your root is entirely defined by ca.crt and ca.key in the current directory. Its default duration is 10 years. Now that you have a root, you are going to use it to sign server and client certificates with e.g.:
2cca server CN=vpn.example.com C=FR L=Roubaix email=vpnmaster@example.com
2cca client CN=jdoe C=UK L=London email=jdoe@example.com duration=365
Your server identity is defined by vpn.example.com.crt and vpn.example.com.key. Your first client is jdoe.crt/jdoe.key.
You can verify certificates using openssl verify, e.g.:
openssl verify -CAfile ca.crt jdoe.crt
Certificate serial numbers are 128-bit long, which guarantees that they can be unique without having to memorize an incremental index. Your certificate database is the current directory.
Enjoy!