Submit signing request

{% set s = authority.certificate.subject %} 
opkg update
opkg install strongswan-default curl openssl


Generate key and submit using standard shell tools:



CN=$(cat /proc/sys/kernel/hostname)
curl {{request.url}}/certificate/ > /etc/ipsec.d/cacerts/ca.pem
openssl genrsa -out /etc/ipsec.d/private/$CN.pem 4096
chmod 0600 /etc/ipsec.d/private/$CN.pem
openssl req -new -sha256 -key /etc/ipsec.d/private/$CN.pem -out /etc/ipsec.d/reqs/$CN.pem -subj "{% if s.C %}/C={{s.C}}{% endif %}{% if s.ST %}/ST={{s.ST}}{% endif %}{% if s.L %}/L={{s.L}}{% endif %}{% if s.O %}/O={{s.O}}{% endif %}{% if s.OU %}/OU={{s.OU}}{% endif %}/CN=$CN"
curl -L -H "Content-Type: application/pkcs10" -d="$(cat /etc/ipsec.d/reqs/$CN.pem)" {{request.uri}}/api/{{authority.slug}}/request/?autosign=1\&wait=30 -O /etc/ipsec.d/certs/$CN.pem.part
if [ $? -eq 0 ]; then mv /etc/ipsec.d/certs/$CN.pem.part /etc/ipsec.d/certs/$CN.pem; fi
openssl verify -CAfile /etc/ipsec.d/cacerts/ca.crt /etc/ipsec.d/certs/$CN.pem




Inspect newly created files:


openssl x509 -text -noout -in /etc/ipsec.d/cacerts/ca.pem
openssl x509 -text -noout -in /etc/ipsec.d/certs/$CN.pem
openssl rsa -check -in /etc/ipsec.d/private/$CN.pem




Assuming you have Certidude installed



certidude setup client {{request.url}}




To set up OpenVPN server


certidude setup openvpn server {{request.url}}




Or to set up OpenVPN client


certidude setup openvpn client {{request.url}}




Pending requests





Signed certificates





You can fetch a certificate by common name signing the request



curl -f {{request.url}}/signed/$CN > $CN.crt






Revoked certificates



To fetch certificate revocation list:


curl {{request.url}}/revoked/ | openssl crl -text -noout