Kioubit Trusted Certificate Authority

Signed by the DN42 CA

Automated Service

1) Install the client script which will request certificates from the server.

2) Run ./client-script.sh generate_keys which will generate the key-pair that must be added to the registry

3) Generate a certificate signing request (CSR) using this command: openssl req -nodes -newkey rsa:4096 -keyout server.key -out request.csr -subj "/CN=your-domain.dn42"

4) Configure the server.key file from the previous command in your webserver.

5) Run ./client-script.sh request to request your certificate to be signed

6) Configure the signed.crt file from the request in your webserver.

Client script

#!/bin/bash
set -euo pipefail

server="172.20.14.43"

function get_public_key() {
  if [ ! -f "ed-secret.pem" ]; then
    echo "Keypair not generated yet"
    exit 1
  fi
  openssl pkey -in ed-secret.pem -pubout -outform DER | base64
}

function generate_keys() {
    if [ ! -f "ed-secret.pem" ]; then
      echo "Generating new verify key"
      openssl genpkey -algorithm Ed25519 -out ed-secret.pem
      publicKey=$(get_public_key)
      echo "Place this public key in your domain's remarks field: verify-key:${publicKey}"
    fi
}

function performRequest() {
  generate_keys
  publicKey=$(get_public_key)

  if [ ! -f "domain.txt" ]; then
    echo "Place your domain name in a file named 'domain.txt'"
    exit 1
  fi

  if [ ! -f "request.csr" ]; then
    echo "Certificate signing request (CSR) missing. It needs to be present under the filename 'request.csr'"
    echo "You can generate a CSR using this command:"
    echo 'openssl req -nodes -newkey rsa:4096 -keyout server.key -out request.csr -subj "/CN=your-domain.dn42"'
    exit 1
  fi

  domainName=$(cat domain.txt)
  domainName="${domainName//[$'\t\r\n']}"

  exec 3<>/dev/tcp/"$server"/8623
  echo "$domainName" >&3
  echo "${publicKey}" >&3
  head -c 10 <&3 > challenge


  cat "request.csr" "challenge" > toSign
  # Sign CSR and challenge
  openssl pkeyutl -sign -inkey ed-secret.pem -out ed-signature.bin -rawin -in toSign

  base64 -w 0 < "ed-signature.bin" >&3
  echo >&3
  base64 -w 0 < "toSign" >&3
  echo >&3

  # Cleanup
  rm "ed-signature.bin"
  rm "toSign"
  rm "challenge"

  result=$(head -c 1 <&3)
  if [ "$result" != "0" ]; then
    echo "Error:"
    errorMessage=$(cat <&3)
    echo "$errorMessage"
    exit 1
  fi

  cat <&3 > signed.crt
  echo "Saved signed certificate to 'signed.crt'"
}


function print_usage() {
    echo "Commands: request, print_publicKey, generate_keys"
}

if [ -z ${1+x} ]; then
    print_usage
    exit 0
fi

case "$1" in

  ("request")
    performRequest
    exit 0
    ;;

  ("print_publicKey")
    publicKey=$(get_public_key)
    echo "Place this public key in your domain's remarks field: verify-key:${publicKey}"
    exit 0
    ;;

  ("generate_keys")
    generate_keys
    exit 0
    ;;

  (*)
    print_usage
    exit 0
    ;;
esac