Home Explore Help
Sign In
doctor
/
Cert-Gen-CLI
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki

No Description

Branch: master
Branches Tags
Cert-Gen-CLI
ZIP TAR.GZ
Mike 2e4ac8d4b0 Update README.md 5 years ago
.gitignore 25f02d36b9 Initial commit 5 years ago
LICENSE 1b88da8b18 Add new file 5 years ago
README.md 2e4ac8d4b0 Update README.md 5 years ago
cert_gen.py 92bcbd0e81 Added bits option 5 years ago
certs.py 92bcbd0e81 Added bits option 5 years ago
cli.py 92bcbd0e81 Added bits option 5 years ago
requirements.txt 3f617f728e Bug fixed and simplified requirements 5 years ago

README.md

Code from https://utilities.govroam.uk/certs for generating eduroam/Govroam SSL certs.

These certs are specifically designed to work well with eduroam/Govroam and include all the features required to ensure that as many clients as possible are compatible.

This is the command line version, which can be installed locally and run securely (it's not advisable to use the website for production as Jisc can't guarantee the security of the information entered or returned).

Install

git clone http://gitlab.perpetual.name/doctor/certgencli.git CertGenCLI

cd CertGenCLI

Either install the python cryptography package

apt-get install python-cryptography

or

pip install -r requirements.txt

The latter doesn't appear to work too well on Debian.

Run

cli.py -c <County> -s <State> -l <Location> -o <Organisation> -u <Organisation Unit> -n <CN> -r <CRLDP> -p <password> -d <Output Directory>

e.g.

cli.py -d /tmp -n fred.site.com -cGB -sWales -lCardiff -oSomewhere -uSomething -pakjdslfasd

This will create all the necessary certificates in /tmp

rootca.pem

server-cert.pem

server-key.pem

list.crl

root-key.pem

RootCA

To be installed on the client, as a trusted Root Certificate. If using the CAT, upload this when creating a profile and set the "Name (CN) of Authentication Server" to idp.westeros.zz. It can be pushed out to clients via a policy, or downloaded in 'mobileconfig' files or published on a web site

Server Cert

To be installed on the RADIUS IdP. Put this, along with the Server Key below, on to your RADIUS server and configure as part of the EAP security. Do not install the above Root CA on the server.

Server Key

To be installed on the RADIUS IdP, as above.

CRL

Publish at the URL https://<cn>/list.crl. It should be accessible by all clients. Whilst not necessary for clients to authenticate it reduces the risk of some clients rejecting the authentication.

RootCA Key

To be kept safe, along with the password used, and is required for any future server certificates, or to change the CRL

Notes

You can check the certificates by running:

openssl x509 -noout -text -in <certname>

which will work for rootca.pem and server-cert.pem

openssl rsa -in <keyname> -check

which will work for server-key.pem and root-key.pem

openssl crl -noout -text -in <crlfile>

which will work for list.crl

The default password is 'something'.