heracles init
heracles generate-server-ca
heracles generate-client-ca
heracles unlock-server-ca
// Removes the password from `server/ca.key`.
// - ensures path is in .gitignore
// - touches file at path, chowns to root:root, chmods to 400
// - writes unlocked key to `server/ca.unlocked.key`
heracles add-host logs.example.com
heracles remove-host logs.example.com
heracles add-user mortal@example.com
// Generates a certificate / key pair for a user.
// - ensures `client/users/mortal@example.com.key` is in .gitignore
// - generates client key
// - generates temporary CSR
// - signs temporary CSR with client certificate `client/users/mortal@example.com.crt`
// - updates `client/trusted-users` with client certificate
// - signs `client/trusted-users` with signing key
// - commits to repository "Added 'mortal@example.com' client certificate."
heracles remove-user mortal@example.com
config
client/
ca.key
ca.crt
trusted-users
trusted-users.sig
users/
mortal@example.com.crt
server/
ca.key
ca.crt
hosts/
logs.example.com.crt
[client]
ca_key_size = 4096
user_key_size = 2048
signing_key_id = ABCDEF
[server]
ca_key_size = 4096
host_key_size = 2048
# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Create the Server Key, CSR, and Certificate
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
# We're self signing our own server cert here. This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr
# Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
# Convert the client certificate and CA certificate to a format that can be loaded on iOS
openssl pkcs12 -export -out Lithium.p12 -inkey client.key -in client.crt
openssl x509 -in ca.crt -out ca.der -outform DER