README.rst 2.27 KB
Newer Older
ale's avatar
ale committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57

cam - minimal X509 Certification Authority management
=====================================================

`cam` is a tiny Python program that can be used to manage a X509
certification authority for a small organization. It can only create
server certificates, so this is not going to be useful to manage an
X509-based client authentication infrastructure.

The intended usage involves describing the list of certificates to
generate in a configuration file, and using the `cam' tool to create
and renew them.


Configuration
-------------

The configuration file uses INI-like syntax, consisting of a number of
sections. There are two special sections: `ca` and `global`, any other
section is interpreted as a certificate definition.

The `ca` section contains the attributes of the CA itself, see the
example configuration file to see which attributes are supported.

The `global` section contains configuration parameters for `cam`. The
only configuration parameter supported is `root_dir`, which is where all
the CA private data will be stored. If you leave this parameter empty,
or if you don't define a `global` section at all, this will default to
the directory containing the configuration file.

Certificates are intentified by a ''tag'', (the section name), so for
example given the following configuration snippet::

    [web]
    cn = www.domain.org

you would use the following command to generate it::

    $ cam --config=my.config gen web

Certificates and private keys are saved within the CA data directory,
you can obtain their path with::

    $ cam --config=my.config files web
    /your/ca/dir/public/certs/web.pem
    /your/ca/dir/private/web.key


Installation
------------

The CA private keys are very sensitive information, so you'll want to
store them in some encrypted removable storage. You can bundle the `cam`
application itself with the CA data by using `virtualenv`::

    $ virtualenv --no-site-packages /secure/cam
    $ virtualenv --relocatable /secure/cam
58
    $ (cd /tmp ; git clone https://git.autistici.org/ai/cam.git \
ale's avatar
ale committed
59 60 61 62 63 64 65 66 67
       && /secure/cam/bin/python setup.py install)

Then you can simply mount your encrypted image wherever there is a
Python interpreter available (well, with the same architecture/OS too)
and run::

    $ /secure/cam/bin/cam --config=/secure/ca/my.config ...