Submit signing request

{% set s = authority.certificate.subject %}

Generate key and submit using standard shell tools:

CN=$(cat /proc/sys/kernel/hostname)
wget {{request.url}}/certificate/ -O /etc/ipsec.d/cacerts/ca.crt
openssl genrsa -out /etc/ipsec.d/private/$CN.pem 4096
openssl req -new -sha256 -key /etc/ipsec.d/private/$CN.pem -out /etc/ipsec.d/reqs/$CN.pem -subj "{% if s.C %}/C={{s.C}}{% endif %}{% if s.ST %}/ST={{s.ST}}{% endif %}{% if s.L %}/L={{s.L}}{% endif %}{% if s.O %}/O={{s.O}}{% endif %}{% if s.OU %}/OU={{s.OU}}{% endif %}/CN=$CN"
wget --header "Content-Type: application/pkcs10" --post-data="$(cat /etc/ipsec.d/reqs/$CN.pem)" {{request.uri}}/api/{{ca.slug}}/request/?autosign=1\&wait=30 -O /etc/ipsec.d/certs/$CN.pem.part
if $? -eq 0; then mv /etc/ipsec.d/certs/$CN.pem.part /etc/ipsec.d/certs/$CN.pem; fi
openssl verify -CAfile ca.crt /etc/ipsec.d/certs/$CN.pem

Assuming you have Certidude installed

certidude setup client {{request.url}}

To set up OpenVPN server

certidude setup openvpn server {{request.url}}

Or to set up OpenVPN client

certidude setup openvpn client {{request.url}}

Pending requests

Signed certificates

You can fetch a certificate by common name signing the request

curl -f {{request.url}}/signed/$CN > $CN.crt

Revoked certificates

To fetch certificate revocation list:

curl {{request.url}}/revoked/ | openssl crl -text -noout