Skip to content
/ cactl Public

Create and maintain a Certificate Authority, manage it and export nginx, vpn configs at a high level, with no obscure crypto stuff

License

AGPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

lee-b/cactl

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

51 Commits
src/cactl
src/cactl
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
poetry.lock
poetry.lock
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

cactl

==== WIP ====

A simple command line certificate authority tool. This works at a very high level. Instead of creating keys and CSRs and certs, you define entities (root ca, server, client). Then you export the necessary configs for those entities, for whatever you need a config for (nginx, your web browser, your VPN client, etc.). At that point, the necessary certs are created automatically if they don't already exist, and you get a directory with the certs, keys, config files, and a README (or whatever suits the target system you're trying to configure). Simples.

This gives you simple, declarative idempotent ops, regardless of if/when a cert has already been generated, when it was generated and so on.

This tries to "do the right thing"(tm) as far as possible (choosing appropirate expiry times and key lengths for CA's vs. clients, for example), so that you don't need to worry about stuff like ciphers, key sizes, etc.

The principle we're following is secure by default, too simple to get it wrong, and making it so quick and easy so you'll enjoy using it, and find it better to do things correctly, rather than throwing together your own custom web server config with no TLS, for example.

Quickstart Example

cactl new-root-ca "My Root CA"
cactl new-intermediate-ca "My Intermediate CA"

cactl new-server "my.server.com"
cactl export my.server.com nginx configs/my_server/nginx/
cactl export my.server.com openvpn-server configs/my_server/openvpn/

cactl new-client "my mobile"
cactl export "my mobile" browser configs/my_mobile/browser/
cactl export "my mobile" openvpn-client configs/my_mobile/openvpn/

Quick install

  • Ensure that you have pipx installed (or use a venv if you know what you're doing)
  • Download the latest *.whl file from the github releases page for this project.
  • Install it with pipx install <path-to-whl> (or pip install, if you're using a venv and know what you're doing)

Build and install

To build install cactl from scratch, make sure you have Poetry installed, then run:

poetry build && pipx install dist/cactl-<version>.whl

License

GNU Affero General Public License, version 3 only. See LICENSE for the full text of that.

The LICENSE file is overrides anything I say here, but the gist is essentially that you can use this any way you like, except for trying to profit from it in weird, sneaky, one-sided ways.

Contributing

Contributors are welcome (as long as you're abiding by the LICENSE file with your contributions, of course).

  • The guts of the core key & certificate handling code is in src/catctl/db.py.
  • The main exporter code for different target configs (nginx, apache, VPNs, mail servers, etc.) is in src/cactl/exporters/.
  • The rest is mostly boilerplate/framework code that you won't need to (or should try not to) touch.

About

Create and maintain a Certificate Authority, manage it and export nginx, vpn configs at a high level, with no obscure crypto stuff

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages