RadCert is a tool for managing a Radmind server certificate authority. It can create the CA, add and remove certifications, and manage configuration. A graphical front-end is under construction, but the command line tool is very easy to use.
You will need to make sure the radcert command is installed before continuing. Please check the section regarding installation for more information about how to do this.
To set up a CA for use with Radmind, there are a number of options you may want to set (Please see section usage for more information about other options). Initially, you will need to run as root, and specify any CA parameters, followed by ”-s” to save them. For example:
$ sudo radcert -C NZ -O MyOrganization -H Radmind.MyOrganization.com -s
Saved configuration to /var/radmind/config.yml
$ sudo radcert -d
Hostname: "Radmind.MyOrganization.com"
RadmindPath: "/var/radmind"
SpecialPath: "/var/radmind/special"
CAPath: "/var/radmind/CA"
CAPublicKeyPath: "/var/radmind/CA/ca.pem"
ConfigPath: "/var/radmind/config.yml"
CertPath: "/var/radmind/cert"
Hostname: "Radmind.MyOrganization.com"
CertC: "NZ"
CertST: "Canterbury"
CertL: "Christchurch"
CertO: "MyOrganization"
CertOU: "IT Department"
These configuration settings need to be correct before setup, because they will be burned into the CA certificate. Please see the usage section for information about how to change all the different configuration settings.
Before you setup the CA, you will need to ensure the configuration is correct. Changing the configuration after you have generated the CA can cause issues with validating the certificates. To proceed with setup, run RadCert with the ”–setup” option:
$ sudo radcert --setup Initializing CA... Making CA with hostname Radmind.MyOrganization.com openssl req -new -x509 -days 10000 -keyout /var/radmind/CA/private/CAKey.pem -out /var/radmind/CA/ca.pem -nodes -newkey rsa:2048 -config /var/radmind/CA/Radmind.MyOrganization.com.cnf Generating a 2048 bit RSA private key ...+++ ................................................+++ writing new private key to '/var/radmind/CA/private/CAKey.pem' ----- Creating certificate path openssl req -new -keyout /var/radmind/CA/Radmind.MyOrganization.com-private.pem -out /var/radmind/CA/Radmind.MyOrganization.com-pub.pem -days 10000 -config /var/radmind/CA/Radmind.MyOrganization.com.cnf -nodes -batch Generating a 2048 bit RSA private key .....+++ .................+++ writing new private key to '/var/radmind/CA/Radmind.MyOrganization.com-private.pem' ----- openssl ca -config /var/radmind/CA/Radmind.MyOrganization.com.cnf -batch -days 10000 -out /var/radmind/CA/Radmind.MyOrganization.com-signed.pem -infiles /var/radmind/CA/Radmind.MyOrganization.com-csr.pem Using configuration from /var/radmind/CA/Radmind.MyOrganization.com.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'NZ' stateOrProvinceName :PRINTABLE:'Canterbury' localityName :PRINTABLE:'Christchurch' organizationName :PRINTABLE:'MyOrganization' organizationalUnitName:PRINTABLE:'IT Department' commonName :PRINTABLE:'Radmind.MyOrganization.com' Certificate is to be certified until Jan 3 21:37:44 2036 GMT (10000 days) Write out database with 1 new entries Data Base Updated Processing Certificate... Added certificate Radmind.MyOrganization.com to /var/radmind/cert. Setup certs in /var/radmind/special/Radmind.MyOrganization.com ln -s /var/radmind/cert/Radmind.MyOrganization.com.pem /var/radmind/cert/cert.pem ln -s /var/radmind/CA/ca.pem /var/radmind/cert/ca.pem CA created successfully.
At this point, you now have a fully working CA for use with Radmind.
$ ls -la /var/radmind/CA total 64 drwxr-xr-x 14 root wheel 476 18 Aug 09:43 . drwxr-xr-x 6 root wheel 204 18 Aug 09:37 .. -rw-r--r-- 1 root wheel 1659 18 Aug 09:37 ca.pem drwxr-xr-x 2 root wheel 68 18 Aug 09:37 certs drwxr-xr-x 2 root wheel 68 18 Aug 09:37 crl -rw-r--r-- 1 root wheel 389 18 Aug 09:43 index.txt -rw-r--r-- 1 root wheel 20 18 Aug 09:43 index.txt.attr -rw-r--r-- 1 root wheel 20 18 Aug 09:43 index.txt.attr.old -rw-r--r-- 1 root wheel 297 18 Aug 09:43 index.txt.old drwxr-xr-x 6 root wheel 204 18 Aug 09:43 newcerts -rw-r--r-- 1 root wheel 2259 18 Aug 09:37 openssl.cnf drwxr-xr-x 3 root wheel 102 18 Aug 09:37 private -rw-r--r-- 1 root wheel 3 18 Aug 09:43 serial -rw-r--r-- 1 root wheel 3 18 Aug 09:43 serial.old
Once the CA is set up, adding certificates is very easy:
$ sudo radcert -a Desktop,Laptop,Office openssl req -new -keyout /var/radmind/CA/Desktop-private.pem -out /var/radmind/CA/Desktop-pub.pem -days 10000 -config /var/radmind/CA/Desktop.cnf -nodes -batch Generating a 2048 bit RSA private key ...................+++ ...........................+++ writing new private key to '/var/radmind/CA/Desktop-private.pem' ----- openssl ca -config /var/radmind/CA/Desktop.cnf -batch -days 10000 -out /var/radmind/CA/Desktop-signed.pem -infiles /var/radmind/CA/Desktop-csr.pem Using configuration from /var/radmind/CA/Desktop.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'NZ' stateOrProvinceName :PRINTABLE:'Canterbury' localityName :PRINTABLE:'Christchurch' organizationName :PRINTABLE:'MyOrganization' organizationalUnitName:PRINTABLE:'IT Department' commonName :PRINTABLE:'Desktop' Certificate is to be certified until Jan 3 21:43:20 2036 GMT (10000 days) Write out database with 1 new entries Data Base Updated Processing Certificate... Added certificate Desktop to /var/radmind/cert. Setup certs in /var/radmind/special/Desktop openssl req -new -keyout /var/radmind/CA/Laptop-private.pem -out /var/radmind/CA/Laptop-pub.pem -days 10000 -config /var/radmind/CA/Laptop.cnf -nodes -batch Generating a 2048 bit RSA private key .........................................+++ ..+++ writing new private key to '/var/radmind/CA/Laptop-private.pem' ----- openssl ca -config /var/radmind/CA/Laptop.cnf -batch -days 10000 -out /var/radmind/CA/Laptop-signed.pem -infiles /var/radmind/CA/Laptop-csr.pem Using configuration from /var/radmind/CA/Laptop.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'NZ' stateOrProvinceName :PRINTABLE:'Canterbury' localityName :PRINTABLE:'Christchurch' organizationName :PRINTABLE:'MyOrganization' organizationalUnitName:PRINTABLE:'IT Department' commonName :PRINTABLE:'Laptop' Certificate is to be certified until Jan 3 21:43:21 2036 GMT (10000 days) Write out database with 1 new entries Data Base Updated Processing Certificate... Added certificate Laptop to /var/radmind/cert. Setup certs in /var/radmind/special/Laptop openssl req -new -keyout /var/radmind/CA/Office-private.pem -out /var/radmind/CA/Office-pub.pem -days 10000 -config /var/radmind/CA/Office.cnf -nodes -batch Generating a 2048 bit RSA private key .................+++ ..........+++ writing new private key to '/var/radmind/CA/Office-private.pem' ----- openssl ca -config /var/radmind/CA/Office.cnf -batch -days 10000 -out /var/radmind/CA/Office-signed.pem -infiles /var/radmind/CA/Office-csr.pem Using configuration from /var/radmind/CA/Office.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'NZ' stateOrProvinceName :PRINTABLE:'Canterbury' localityName :PRINTABLE:'Christchurch' organizationName :PRINTABLE:'MyOrganization' organizationalUnitName:PRINTABLE:'IT Department' commonName :PRINTABLE:'Office' Certificate is to be certified until Jan 3 21:43:21 2036 GMT (10000 days) Write out database with 1 new entries Data Base Updated Processing Certificate... Added certificate Office to /var/radmind/cert. Setup certs in /var/radmind/special/Office
We can see a list of certificates from the CA's index.txt file:
$ cat /var/radmind/CA/index.txt V 360103213744Z 01 unknown /C=NZ/ST=Canterbury/O=MyOrganization/OU=IT Department/CN=Radmind.MyOrganization.com V 360103214320Z 02 unknown /C=NZ/ST=Canterbury/O=MyOrganization/OU=IT Department/CN=Desktop V 360103214321Z 03 unknown /C=NZ/ST=Canterbury/O=MyOrganization/OU=IT Department/CN=Laptop V 360103214321Z 04 unknown /C=NZ/ST=Canterbury/O=MyOrganization/OU=IT Department/CN=Office
For each name we provide, radcert generates a certficate and appropriate Radmind configuration. This command creates the following files:
It is generally impossible to remove a certificate from the CA. However, you can revoke its use. This is done by removing the certificate using RadCert:
$ sudo radcert -r Office Removed certificate /var/radmind/cert/Office.pem.
Any use of this certificate by a Radmind client will now fail if using this certificate.
$ radcert --help
Usage: radcert [options]
This script is used to add and remove radmind certificates.
-p, --radmind=path The radmind path you want to use.
Default: /var/radmind
-a, --add=x,y,z List of names to add
-r, --rem=x,y,z List of names to remove
-g, --gen=x,y,z List of certificates to generate installation strings for
--setup Setup the server certificate. Specify the server hostname using -H
-C, --CertC=val Certificate Config; ISO Country Code
-S, --CertST=val Certificate Config; Province or State
-L, --CertL=val Certificate Config; City or Locality
-O, --CertO=val Certificate Config; Organization Name
-U, --CertOU=val Certificate Config; Organizational Unit
-H, --hostname=val CA Config; Server Hostname (CN)
A config file will allow this tool to be configured automatically.
-c, --config=path Specify the configuration file to use
Default: /var/radmind/config.yml
-s Save the config to the path specified
-d, --dump Show the current configuration
Help and Copyright information
--copy Display copyright information
-h, --help Show this help message.
--usage Show usage info
The source code is currently available in the Radmind Toolbox subversion repository, in the radcert subdirectory:
http://svn.oriontransfer.org/Scripting/RadmindToolbox/radcert/
The recommended way to install is to use the gem:
http://svn.oriontransfer.org/Scripting/RadmindToolbox/radcert/pkg/
Download the latest gem, and install it:
$ sudo gem install RadCert-x.x.x.gem