Giter Club home page Giter Club logo

minica's Introduction

minica

A Certificate Authority with RESTful interface and WEB UI

Home page

home

View CA detail

CA View

View Cert Detail

Cert View

With RESTful interface, you can manage certificate authority, request certs, get truststore, pkcs12, jks keystores in realtime, in a automated way.

You don't ever need to remember openssl command again, just run this service.

The project is written in Kotlin (supports Java 11 or newer), and Angular JS.

It is my first attempt with Front End Project.

This software is suitable for development & testing only, where you don't want to manage a microsoft Active Directory server for certificates.

It is purely built using openssl and java keytool (shipped with JDK). You need to have both installed in your system. Requirement:

openssl 1.0+
jdk 11+

Building the MiniCA RESTful service

$ git clone https://github.com/wushilin/minica.git
$ cd minica
$ ./gradlew clean bootJar

The executable jar is located at build/libs/minica-0.0.1-SNAPSHOT.jar

To run it,

Create a file named: application.properties like this:

openssl.path=/usr/bin/openssl <=points to your openssl
minica.root=/opt/minica <= point to a directory for all your CA certificates and issued certificates
keytool.path=/usr/local/bin/keytool <= point to your jdk keytool command
users.config=admin@adminpass:admin;user@password:viewer;invalid@invalid:invalid <= config the user access in username@password:role;username2@password2:role2 format. You can specify many users. The users will be using Basic authentication when talking to the RESTful service. The admin role users will be able to make changes (e.g. create/delete CA, request/delete certificates). The viewer will not able to do so, but viewer can download and view the certs without problem.
server.port=9988 <= default port is 8080, you may change it here

Start the service:

$ java -jar build/libs/minica-0.0.1-SNAPSHOT.jar --spring.config.location=./application.properties

Access the UI: Open your browser and access via http://host:9988

Login with your configure password.

Test the service:

$ curl -u "admin:adminpass" -vvvv -H "Content-Type: application/json"  -X PUT --data '{"commonName": "ABC CORP CA", "validDays": 7300, "countryCode":"SG", "organization":"ABC Corp CA", "state":"Singapore", "city":"Singapore", "organizationUnit":"Home Office", "digestAlgorithm":"SHA512", "keyLength": 4096 }' http://localhost:9988/ca/new

If you see something like this, that means your RESTful service is up.

{
	"base":"/opt/minica/CAs/d60f9bed-05e2-4fe3-b326-7ba6db0c94e0",
	"key":"-----BEGIN RSA PRIVATE KEY-----\n....\n-----END RSA PRIVATE KEY-----\n",
	"id":"d60f9bed-05e2-4fe3-b326-7ba6db0c94e0",
	"state":"Singapore",
	"cert":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n",
	"city":"Singapore",
	"keyFile":"/opt/minica/CAs/d60f9bed-05e2-4fe3-b326-7ba6db0c94e0/ca-key.pem",
	"subject":"/C=SG/ST=Singapore/L=Singapore/O=ABC Corp CA/OU=Home Office/CN=ABC CORP CA",
	"certFile":"/opt/minica/CAs/d60f9bed-05e2-4fe3-b326-7ba6db0c94e0/ca-cert.pem",
	"commonName":"ABC CORP CA",
	"countryCode":"SG",
	"organization":"ABC Corp CA",
	"validDays":7300,
	"organizationUnit":"Home Office",
	"digestAlgorithm":"SHA512",
	"keyLength":4096,
	"issueTime":1642263016206,
	"certCount":0
}

You may refer to the following URLs for interacting with the RESTfulservices endpoints.

admin = view/download + modify
viewer = view/download

All endpoints requires basic authentication with at least viewer. Modifications requires at least admin.

  1. Register new CA:
PUT /ca/new
Authorization: xxx

{
  "commonName": "ABC CORP CA",
  "validDays": 7300,
  "countryCode":"SG",
  "organization":"ABC Corp CA",
  "state":"Singapore",
  "city":"Singapore",
  "organizationUnit":"Home Office",
  "digestAlgorithm":"SHA512",
  "keyLength": 4096 
}

---
Requires admin role
  1. Listing all CAs:
GET /ca
Authorization: xxx

---
Requires viewer role
Note that each CA has an ID in json response, the ID is the unique identifier
  1. Get a single CA detail:
GET /ca/<ca-id>
Authorization: xxx

---
Requires viewer role
  1. Delete a CA
DELETE /ca/<ca-id>
Authorization: xxxxx

Note that delete CA will also delete all certs in that CA. The issued certs can still be used. 

---
Requires admin role
  1. List certs under CA
GET /ca/<ca-id>/cert
Authorization: xxx

---
Requires viwer role
Note certs have unique identifier. A cert is uniquely identifiable via a pair of ca-id, which identifies which ca, and cert-id, which identifies the cert.
  1. Request new cert under CA
PUT /ca/<ca-id>/new
Authorization: xxx

{
  "commonName": "acme.abc.com",
  "validDays": 7300,
  "email":"[email protected]",
  "countryCode":"SG",
  "organization":"Home",
  "state":"Singapore",
  "city":"Singapore",
  "organizationUnit":"home team",
  "digestAlgorithm":"SHA512",
  "keyLength": 4096,
  "dnsList": ["jumper.abc.com", "*.abc.com"],
  "ipList": ["192.168.44.1", "192.168.44.2"]
}

---
Requires admin role
  1. Get a cert detail
GET /ca/<ca-id>/cert/<cert-id>
Authorization: xxx

---
Requires viewer role
  1. Delete a cert from CA
DELETE /ca/<ca-id>/cert/<cert-id>
Authorization: xxx

---
Requires admin role
  1. Exporting All following requests required Authorization, and at least viewer permission.

Download CA Cert in PEM format

GET /ca/download/<ca-id>/cert
Authorization: xxx

---
Requires viewer role

Download CA Key in PEM format, unencrypted

GET /ca/download/<ca-id>/key
Authorization: xxx

---
Requires viewer role

Download CA Cert & Key pair in PKCS12, encrypted with the password below.

GET /ca/download/<ca-id>/pkcs12
Authorization: xxx

---
Requires viewer role

Download the truststore in JKS format, encrypted with the password below.

GET /ca/download/<ca-id>/truststore
Authorization: xxx

---
Requires viewer role

Download the keystore for pkcs12, keystore password, in text format

GET /ca/download/<ca-id>/password
Authorization: xxx

---
Requires viewer role

Renew certificate by X days

POST /ca/<ca-id>/cert/<cert-id>/<days>
Authorization: xxx

---
Requires admin role

Download everything about the cert in a zip file, include cert, csr, private key in PEM format, jks and pkcs12 keystore, jks truststore, ca cert in PEM, and all keystore passwords

GET /ca/download/<ca-id>/cert/<cert-id>/bundle
Authorization: xxx

---
Requires viewer role

Download the cert which is signed by the CA

GET /ca/download/<ca-id>/cert/<cert-id>/cert
Authorization: xxx

---
Requires viewer role

Download the CSR

GET /ca/download/<ca-id>/cert/<cert-id>/csr
Authorization: xxx

---
Requires viewer role

Download the key

GET /ca/download/<ca-id>/cert/<cert-id>/key
Authorization: xxx

---
Requires viewer role

Download the keystore in JKS, encrypted with the password below

GET /ca/download/<ca-id>/cert/<cert-id>/jks
Authorization: xxx

---
Requires viewer role

Download the keystore in PKCS12, encrypted with the password below

GET /ca/download/<ca-id>/cert/<cert-id>/pkcs12
Authorization: xxx

---
Requires viewer role

Download the keystore password

GET /ca/download/<ca-id>/cert/<cert-id>/password
Authorization: xxx

---
Requires viewer role

Download the truststore in jks. The truststore is from the CA

GET /ca/download/<ca-id>/cert/<cert-id>/truststore
Authorization: xxx

---
Requires viewer role

Download the trust store password. Trust store is from the CA, thus using a different password

GET /ca/download/<ca-id>/cert/<cert-id>/truststorePassword
Authorization: xxx

---
Requires viewer role

Building the UI service

NOTE: The UI is built and bundled in automatically. Use this only if you are keen to make the UI better.

  1. Install node and npm - steps skipped, node 16.10+

  2. Install angular js cli

$ npm install -g @angular/cli
$ npm install
  1. Edit the proxy configuration vim proxy.conf.js This proxies /ca to the endpoint of your RESTful service. If you changed your port above in RESTful service, please change accordingly here. If you run the RESTful service in another host, please remember to change the target host as well.
const PROXY_CONFIG = [
  {
    context: [
                 "/ca/"
    ],
    target: "http://localhost:9988/",
    changeOrigin: true,
    secure: false
  }
];

module.exports = PROXY_CONFIG;
  1. Starting the UI
$ ng serve --proxy-config proxy.conf.js --host 0.0.0.0 --configuration production
  1. Test Open your browser and access http://:4200. You will be prompted to login, enter the RESTful userid and password.

For the admin users, you can do everything. For viewer users, the modifications are prohibited.

Live demo

You can see a live demo at http://ca.wushilin.net:40000/

The login user (in username///password format):

  • Admin: admin///admin
  • Viewer: user///user

Note that Certificated Created in this Live Demo will be deleted after 30 days automatically

minica's People

Contributors

wushilin avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.