Utilites: buildcert - manage SSL certificates

A large deployment of SSL certificates and private keys must be managed and doing so taxes an organization's time and resources. Managing multiple SSL certificates with differing expiration dates issued by different times requires the timely administration and management.
Utilites buildcert augments your certificate management initiatives by monitoring all SSL certificates deployed across your network and automating a number of key processes:

  • Management from buildcert via issuance, revocation and renewal of certificates
  • SSL certificate request
  • SSL certificate approval and workflow
  • SSL certificate expiration monitoring and notification from ipset-ng server automates the certificate lifecycle through an on-demand security solution accessed via this utilites.

The complex ipset-ng solution centrally controls certificate provisioning and can be tailored to work with your organization's existing certificates.

Command line key - buildcert


    #/usr/bin/buildcert.sh

    This is part from ipset-ng access system
    Generate SSL certificates and key

        usage create: ./buildcert.sh [ --server-ng | --client-ng ] [ IP address ]
        usage revoke: ./buildcert.sh [ --delete-ng | --undelete-ng ] [ serial num certificate ]
        usage update: ./buildcert.sh [ --updatecrl-ng ]
        usage list:   ./buildcert.sh [ --list-ng ]


Manual create CA root and server certificates. Normally, this certificates and key automatic generation if compile ipset-ng server part.
If you have a desire to re-form the root and server certificates, you first need to remove the previous certificates and keys.
Run the following command:

rm -fr /etc/ipset-ng/ssl

after, follow these steps:

./buildcert.sh --server-ng

This command creates a new directory that will generate certificates and keys for the root certificate, and the server certificate and keys.
Server certificates a location and name: /etc/ipset-ng/ssl/cert.server.pem & /etc/ipset-ng/ssl/key.server.pem
So as created the first client certificate without reference to the IP address, it can be used on the same computer.

To create a client certificate with reference to the IP address, run the following command:

./buildcert.sh --client-ng 1.2.3.4

Thus we create a client certificate is bound to IP address 1.2.3.4 the certificate and the key is the path /etc/ipset-ng/ssl and has a name: cert.1.2.3.4.pem and key.1.2.3.4.pem
CA root certificates a name: /etc/ipset-ng/ssl/cert.ca.pem

To delete a client certificate, you must know the serial number, see the certificate numbers with reference to the IP address, it is possible using the following command:

./buildcert.sh --list-ng

Now we know the serial number of the client certificate, suppose the number 02.
Delete (revoke) a client certificate may issue the following command:

./buildcert.sh --delete-ng 02

Recover deleted client certificate may issue the following command:

./buildcert.sh --undelete-ng 02

CRL (revoke list) requires through periodic updates. Refresh rate is specified in the OpenSSL configuration file /etc/ipset-ng/ssl/sslserver.config, and is defined by parameter default_crl_days. In the access control system ipset-ng this period composes 7 days, you can change it at their own discretion.
Update the CRL file with the following command:

./buildcert.sh --updatecrl-ng

For automatic updates, it is reasonable to put this command in cron service:

crontab <ipset-ng-src-dir>/misc/startup/updatecrl.cron

// command in file updatecrl.cron
// 59 23 * * 0 /usr/bin/buildcert.sh --updatecrl-ng

And check installation to cron services, type:

crontab  -l

Or use the automatic update feature CRL file, allowing directive in configuration file sslcrlauto to value yes.


  Meta Tags: SSL utilites buildcert