💾 Archived View for thrig.me › tech › ssl › minimum-ca.gmi captured on 2024-06-16 at 13:37:53. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-05-24)

-=-=-=-=-=-=-

Minimal Viable Certificate Authority

This documentation assumes LibreSSL on OpenBSD 7.3; anything with OpenSSL should be similar, though how to best create certificates does vary over time. This is a simple test CA that lives in a directory. Season with security to taste.

minimum-ca.sh

Perhaps too minimal, lacking revocation lists and whatnot, but verification can happen for a certificate (minca-test.cert) signed against the certificate authority (minca.cert).

    $ sh minimum-ca.sh
    Generating RSA private key, 4096 bit long modulus
    ...
    $ tclsh8.6 pingpong.tcl minca.cert minca-test.cert minca-test.key
    SERVER listen 7169
    CLIENT localhost 7169 pinging
    SERVER client 127.0.0.1 3168
    SERVER ponging
    CLIENT server said: PONG 1681516486260
    CLIENT localhost 7169 pinging
    SERVER client 127.0.0.1 10954
    SERVER ponging
    CLIENT server said: PONG 1681516486787
    CLIENT localhost 7169 pinging
    SERVER client 127.0.0.1 17953
    SERVER ponging
    CLIENT server said: PONG 1681516487311

local-ca.gmi

index.gmi