A CA server based on Openssl and Alpine, below 20 Mb. With CRL, OCSP and HTTP server. GNS3 ready.
813
An image certificate authority server based on Openssl and Alpine, for creating and managing certificates. Light server, below 20 Mb. Including CRL, OCSP and HTTP server. GNS3 ready.
The /data folder is persistent.
docker run -dt --name mycert \
-e TZ=America/Cayenne -e Y_IP_CHECK_PUBLIC=yes -e Y_TEST_CLIENT_CREATE=yes -e Y_HTTP_SHARE_CERT=yes \
-e Y_HTTP_PORT=8091 -e Y_HTTP_PORT_SECURE=8092 -e Y_OCSP_PORT=8093 -p 8091-8093:8091-8093 \
ghcr.io/palw3ey/ye3cert:latest
# Show the management actions :
docker exec -it mycert yee
# Show the log :
docker logs mycert
# Get the ip adress and open a web browser : http://IP:8091 or https://IP:8092
# the certificate files will be displayed, and available for download.
:: download the CA
curl -o %USERPROFILE%\Downloads\cacert.crt http://IP:8091/cacert.crt
:: import the CA
explorer %USERPROFILE%\Downloads\cacert.crt
:: or in admin : certutil -f -addstore root %USERPROFILE%\Downloads\cacert.crt
:: GUI, click "Retrieve"
certutil -URL http://IP:8091/crl
:: CLI, should display at the end : "Leaf certificate revocation check passed"
certutil -f –urlfetch -verify "%USERPROFILE%\Downloads\tux1-cert.crt"
:: View CRL and OCSP cache
certutil -urlcache *
:: Clear CRL and OCSP cache
certutil -urlcache * delete
:: In admin : certutil -setreg chain\ChainCacheResyncFiletime @now
:: Check errors in Windows Event Viewer : Custom > Administrative Events
certutil -f -user -enterprise -p 1234 -importpfx "%USERPROFILE%\Downloads\tux1-cert.p12"
docker exec -it mycert yee --action=pem --prefix=tux1
# sudo is required
ls $(docker inspect mycert -f '{{range .Mounts}}{{ if eq .Type "volume" }}{{println .Source }}{{ end }}{{end}}')/ssl
# connect to the container
docker exec -it mycert sh
# use the management script
yee --action=add \
--prefix=tux2 \
--cn=pc2.test.lan \
--password=1234 \
--revo=yes \
--san=DNS.1:pc2.test.lan,IP.1:12.168.9.32,IP.2:10.2.9.32
# To leave, type : exit, or use the escape sequence : Ctrl+P and next Ctrl+Q
docker run -dt --name mycert \
-e TZ=America/Montreal -e Y_IP_CHECK_PUBLIC=yes -e Y_HTTP_SHARE_CERT=yes \
-e Y_HTTP_PORT_SECURE=8443 -p 8443:8443 \
-v /etc/letsencrypt/live/{YOUR_DOMAIN}/fullchain.pem:/data/fullchain.pem \
-v /etc/letsencrypt/live/{YOUR_DOMAIN}/privkey.pem:/data/privkey.pem \
ghcr.io/palw3ey/ye3cert:latest
To run through GNS3, download and import the appliance : ye3cert.gns3a
These are the env variables and their default values.
| variables | format | default | description |
|---|---|---|---|
| TZ | text | Europe/Paris | Time zone. The list is in the folder /usr/share/zoneinfo |
| Y_LANGUAGE | text | fr_FR | Language. The list is in the folder /i18n/ |
| Y_DEBUG | yes/no | no | yes, to show more messages |
| Y_IP | IP address | if not set, will attempt to detect and use the public ip address otherwise the first local ip address | Server IP address |
| Y_IP_CHECK_PUBLIC | yes/no | no | yes, to retrieve the public IP |
| Y_IP_CHECK_URL | url | http://whatismyip.akamai.com | Url that curl will use to retrieve the public IP |
| Y_IP_CHECK_URL_TIMEOUT | integer | 5 | this is the -m option in curl : Maximum time allowed, in second |
| Y_CRED_EXPORT | path | /data/ssl/cred | path to the file where the certificate passwords are saved |
| Y_HTTP | yes/no | yes | yes, enable http/https server |
| Y_HTTP_SHARE_CERT | yes/no | no | yes, to show certs files in the http server directory listing |
| Y_HTTP_SHARE_FOLDER | folder path | /data/ssl/www | http server directory listing path |
| Y_HTTP_PORT | port number | 80 | http port |
| Y_HTTP_PORT_SECURE | port number | 443 | https port |
| Y_CRL | yes/no | yes | yes, to enable CRL update service |
| Y_CRL_CROND | text | */15 * * * * | scheduling, with crontab syntax |
| Y_CRL_SEC_NEXT | integer | 2678400 | openssl-ca -crlsec parameter : The number of seconds before the next CRL is due |
| Y_OCSP | yes/no | yes | yes, to enable OCSP service |
| Y_OCSP_PORT | port number | 8080 | OCSP port |
| Y_KEY_SIZE | integer | 2048 | private key size |
| Y_DAYS | number | 3650 | CA, How long to certify for |
| Y_DAYS_CLIENT | number | 365 | Client, how long to certify for |
| Y_KEY_USAGE | text | "nonRepudiation, digitalSignature, keyEncipherment" | Key usage for a client certificate |
| Y_EXTENDED_KEY_USAGE | text | "serverAuth, clientAuth" | Extended key usage for a client certificate |
| Y_CA_PASS | password | ca | The password to use for the ca key |
| Y_DNS | url address | if not set, will use the external domain, or hostname | The server domain address |
| Y_CN | text | if not set, will use Y_IP | The server common name |
| Y_COUNTRY_NAME | Two letter country code | FR | The server country name, 2 letter code |
| Y_STATE_OR_PROVINCE_NAME | text | Ile-de-France | The server state or province name |
| Y_LOCALITY_NAME | text | Paris | The server locality name |
| Y_ORGANIZATION_NAME | text | Test | The server Organization Name |
| Y_ORGANIZATIONAL_UNIT_NAME | text | Web | The server organizational unit name |
| Y_EMAIL_ADDRESS | email address | [email protected] | The server email address |
| Y_RANDOM_CLIENT | integer | Number of random client to create | |
| Y_RANDOM_CLIENT_REVO | yes/no | yes | Random client, yes, to include the revocation URL in the certificate |
| Y_RANDOM_CLIENT_DAYS | integer | 731 | Random client, How long to certify for |
| Y_TEST_CLIENT_CREATE | yes/no | no | Test client, yes, to create a test client |
| Y_TEST_CLIENT_PREFIX | filename | tux1 | Test client, filename prefix, result: (prefix-cert.pem) |
| Y_TEST_CLIENT_CN | text | pc1.test.lan | Test client, CN for the client certificate |
| Y_TEST_CLIENT_PASSWORD | password | 1234 | Test client, password of the p12 file |
| Y_TEST_CLIENT_REVO | yes/no | yes | Test client, yes, to include the revocation URL in the certificate |
| Y_TEST_CLIENT_DAYS | integer | 31 | Test client, How long to certify for |
| Y_TEST_CLIENT_SAN | text | DNS.1:pc1.my.net,IP.1:192.168.1.10 | Test client, san (Subject Alternative Name) |
The docker image was compiled to work on these CPU architectures :
Work on most computers including Raspberry Pi
To customize and create your own images.
git clone https://github.com/palw3ey/ye3cert.git
cd ye3cert
# Make all your modifications, then :
docker build --no-cache --network=host -t ye3cert .
docker run -dt --name my_customized_cert ye3cert
OpenSSL man page
openSSL-ca man page
lighttpd man page
| name | version |
|---|---|
| ye3cert | 2.0.0 |
| openssl | 3.3.2 |
| lighttpd | 1.4.76 |
| alpine | 3.20.3 |
Don't hesitate to send me your contributions, issues, improvements on github or by mail.
MIT
author: palw3ey
maintainer: palw3ey
email: [email protected]
website: https://github.com/palw3ey/ye3cert
docker hub: https://hub.docker.com/r/palw3ey/ye3cert
Content type
Image
Digest
sha256:ec0b416fe…
Size
9.3 MB
Last updated
over 1 year ago
docker pull palw3ey/ye3cert:2.0.0