What a great and creative name for an SSL Api!
First of all: If you want an Api for singing and creating certificates, please be aware that there is CFSSL which comes with an api as well and has already a large user base.
Why building something new then? Well, I needed functionality that is not (yet) in CFSSL. Currently it is impossible to create certificates with multiple Organizations or OrganizationlaUnits. Since I really needed that feature and because I really like writing stuff in python, I decided to get into cryptography 'n stuff.
-
Clone this repository
$ git clone https://github.com/Crapworks/SSLApi.git $ cd SSLApi -
Install the dependencies
$ pip inststall -r requirements.txt
-
Edit
example-ca-csr.json(This will become your CA) and run the following command$ ./sslapi.py --bootstrap example-ca-csr.json | ./api2file.py --prefix ca -
Check
config.jsonto see if the filenames are matching (if you used the exact command above they should match) -
Of course you can use your own CA if you already have one. Just enter the path to your CA certificate and key into
config.jsonand make sure these files are readable for the user you want SSLApi to run under -
Start it up!
$ ./sslapi.py
-
Create your first certificate and key via SSLApi
$ cat mycert.json { "profile": "server", "key": { "algorithm": "dsa", "key_size": 2048 }, "names":[ {"commonName": "foobar.com"} ], "subject_alt_names": ["barfoo.com"] } $ curl -H 'content-type: application/json' [email protected] localhost:8888/v1/x509/cert | ./api2file.py --prefix certfoo -
Verify that everything looks good:
$ openssl x509 -in certfoo.pem -text
-
Profit!!1
Right now you can use SSLApi to:
- Create RSA/DSA/ECDSA keys
- Create fully customizable Certificate Signing Requests (CSR)
- Create self-signed certificates
- Create a CA signed certificate/key bundle with one api call
- Bootstrap CA to sign with
- Sign you own CSR via the remote CA
- Get the remote CA certificate
- Server side profiles
- (Very) simple, token based authentication
That is planned for the nearest future in case my time management doesn't suck to hard:
- Save generated certificates in a SQL backend (SQLalchemy)
- Get stored certificates from SQL Backend via serial or subject
That is planned in case I get really bored:
- Certificate Revocation Lists (CRL)
- Support multiple CAs
- JWT authentication support
You just need Flask and Cryptography:
$ pip install -r requirements.txtCurrently you need an already created CA (certificate and key) to run most endpoints. Just edit the config.json and enter the path to you ca files. That's it! Now you can run it:
$ ./sslapi.py
* Running on http://0.0.0.0:8888/ (Press CTRL+C to quit)TBD