palw3ey/ye3cert

By palw3ey

Updated over 1 year ago

A CA server based on Openssl and Alpine, below 20 Mb. With CRL, OCSP and HTTP server. GNS3 ready.

Image
Security
0

813

palw3ey/ye3cert repository overview

ye3cert

An image certificate authority server based on Openssl and Alpine, for creating and managing certificates. Light server, below 20 Mb. Including CRL, OCSP and HTTP server. GNS3 ready.

The /data folder is persistent.

Simple usage

docker run -dt --name mycert \
  -e TZ=America/Cayenne -e Y_IP_CHECK_PUBLIC=yes -e Y_TEST_CLIENT_CREATE=yes -e Y_HTTP_SHARE_CERT=yes \
  -e Y_HTTP_PORT=8091 -e Y_HTTP_PORT_SECURE=8092 -e Y_OCSP_PORT=8093 -p 8091-8093:8091-8093 \
  ghcr.io/palw3ey/ye3cert:latest

Test

# Show the management actions :
docker exec -it mycert yee

# Show the log :
docker logs mycert

# Get the ip adress and open a web browser : http://IP:8091 or https://IP:8092
# the certificate files will be displayed, and available for download.

HOWTOs

  • Check CRL and OCSP on Windows
:: download the CA
curl -o %USERPROFILE%\Downloads\cacert.crt http://IP:8091/cacert.crt

:: import the CA
explorer %USERPROFILE%\Downloads\cacert.crt
:: or in admin : certutil -f -addstore root %USERPROFILE%\Downloads\cacert.crt

:: GUI, click "Retrieve"
certutil -URL http://IP:8091/crl

:: CLI, should display at the end : "Leaf certificate revocation check passed"
certutil -f –urlfetch -verify "%USERPROFILE%\Downloads\tux1-cert.crt"

:: View CRL and OCSP cache
certutil -urlcache *

:: Clear CRL and OCSP cache
certutil -urlcache * delete
:: In admin : certutil -setreg chain\ChainCacheResyncFiletime @now

:: Check errors in Windows Event Viewer : Custom > Administrative Events

  • Import p12 on Windows
certutil -f -user -enterprise -p 1234 -importpfx "%USERPROFILE%\Downloads\tux1-cert.p12"
  • Show a base64 certificate in the terminal, eg: tux1 :
docker exec -it mycert yee --action=pem --prefix=tux1
  • Browse the ssl folder from the host :
# sudo is required
ls $(docker inspect mycert -f '{{range .Mounts}}{{ if eq .Type "volume" }}{{println .Source }}{{ end }}{{end}}')/ssl
  • Add a client certificate, with a filename prefix : tux2
# connect to the container
docker exec -it mycert sh 

# use the management script
yee --action=add \
  --prefix=tux2 \
  --cn=pc2.test.lan \
  --password=1234 \
  --revo=yes \
  --san=DNS.1:pc2.test.lan,IP.1:12.168.9.32,IP.2:10.2.9.32

# To leave, type : exit, or use the escape sequence : Ctrl+P and next Ctrl+Q
  • Use your host Let's Encrypt certificates for HTTPS on 8443 port
docker run -dt --name mycert \
  -e TZ=America/Montreal -e Y_IP_CHECK_PUBLIC=yes -e Y_HTTP_SHARE_CERT=yes \
  -e Y_HTTP_PORT_SECURE=8443 -p 8443:8443 \
  -v /etc/letsencrypt/live/{YOUR_DOMAIN}/fullchain.pem:/data/fullchain.pem \
  -v /etc/letsencrypt/live/{YOUR_DOMAIN}/privkey.pem:/data/privkey.pem \
  ghcr.io/palw3ey/ye3cert:latest

GNS3

To run through GNS3, download and import the appliance : ye3cert.gns3a

Environment Variables

These are the env variables and their default values.

variablesformatdefaultdescription
TZtextEurope/ParisTime zone. The list is in the folder /usr/share/zoneinfo
Y_LANGUAGEtextfr_FRLanguage. The list is in the folder /i18n/
Y_DEBUGyes/nonoyes, to show more messages
Y_IPIP addressif not set, will attempt to detect and use the public ip address otherwise the first local ip addressServer IP address
Y_IP_CHECK_PUBLICyes/nonoyes, to retrieve the public IP
Y_IP_CHECK_URLurlhttp://whatismyip.akamai.comUrl that curl will use to retrieve the public IP
Y_IP_CHECK_URL_TIMEOUTinteger5this is the -m option in curl : Maximum time allowed, in second
Y_CRED_EXPORTpath/data/ssl/credpath to the file where the certificate passwords are saved
Y_HTTPyes/noyesyes, enable http/https server
Y_HTTP_SHARE_CERTyes/nonoyes, to show certs files in the http server directory listing
Y_HTTP_SHARE_FOLDERfolder path/data/ssl/wwwhttp server directory listing path
Y_HTTP_PORTport number80http port
Y_HTTP_PORT_SECUREport number443https port
Y_CRLyes/noyesyes, to enable CRL update service
Y_CRL_CRONDtext*/15 * * * *scheduling, with crontab syntax
Y_CRL_SEC_NEXTinteger2678400openssl-ca -crlsec parameter : The number of seconds before the next CRL is due
Y_OCSPyes/noyesyes, to enable OCSP service
Y_OCSP_PORTport number8080OCSP port
Y_KEY_SIZEinteger2048private key size
Y_DAYSnumber3650CA, How long to certify for
Y_DAYS_CLIENTnumber365Client, how long to certify for
Y_KEY_USAGEtext"nonRepudiation, digitalSignature, keyEncipherment"Key usage for a client certificate
Y_EXTENDED_KEY_USAGEtext"serverAuth, clientAuth"Extended key usage for a client certificate
Y_CA_PASSpasswordcaThe password to use for the ca key
Y_DNSurl addressif not set, will use the external domain, or hostnameThe server domain address
Y_CNtextif not set, will use Y_IPThe server common name
Y_COUNTRY_NAMETwo letter country codeFRThe server country name, 2 letter code
Y_STATE_OR_PROVINCE_NAMEtextIle-de-FranceThe server state or province name
Y_LOCALITY_NAMEtextParisThe server locality name
Y_ORGANIZATION_NAMEtextTestThe server Organization Name
Y_ORGANIZATIONAL_UNIT_NAMEtextWebThe server organizational unit name
Y_EMAIL_ADDRESSemail address[email protected]The server email address
Y_RANDOM_CLIENTintegerNumber of random client to create
Y_RANDOM_CLIENT_REVOyes/noyesRandom client, yes, to include the revocation URL in the certificate
Y_RANDOM_CLIENT_DAYSinteger731Random client, How long to certify for
Y_TEST_CLIENT_CREATEyes/nonoTest client, yes, to create a test client
Y_TEST_CLIENT_PREFIXfilenametux1Test client, filename prefix, result: (prefix-cert.pem)
Y_TEST_CLIENT_CNtextpc1.test.lanTest client, CN for the client certificate
Y_TEST_CLIENT_PASSWORDpassword1234Test client, password of the p12 file
Y_TEST_CLIENT_REVOyes/noyesTest client, yes, to include the revocation URL in the certificate
Y_TEST_CLIENT_DAYSinteger31Test client, How long to certify for
Y_TEST_CLIENT_SANtextDNS.1:pc1.my.net,IP.1:192.168.1.10Test client, san (Subject Alternative Name)

Compatibility

The docker image was compiled to work on these CPU architectures :

  • linux/386
  • linux/amd64
  • linux/arm/v6
  • linux/arm/v7
  • linux/arm64
  • linux/ppc64le
  • linux/s390x

Work on most computers including Raspberry Pi

Build

To customize and create your own images.

git clone https://github.com/palw3ey/ye3cert.git
cd ye3cert
# Make all your modifications, then :
docker build --no-cache --network=host -t ye3cert .
docker run -dt --name my_customized_cert ye3cert

Documentation

OpenSSL man page
openSSL-ca man page
lighttpd man page

Version

nameversion
ye3cert2.0.0
openssl3.3.2
lighttpd1.4.76
alpine3.20.3

ToDo

  • need to document env variables (2023-12-23)
  • add more translation files in i18n folder. Contribute ! Send me your translations by mail ;)

Don't hesitate to send me your contributions, issues, improvements on github or by mail.

License

MIT
author: palw3ey
maintainer: palw3ey
email: [email protected]
website: https://github.com/palw3ey/ye3cert
docker hub: https://hub.docker.com/r/palw3ey/ye3cert

Tag summary

Content type

Image

Digest

sha256:ec0b416fe

Size

9.3 MB

Last updated

over 1 year ago

docker pull palw3ey/ye3cert:2.0.0