Skip to content

hhftechnology/pangolin-client-cert-manager

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pcm.sh
pcm.sh
 
 

Repository files navigation

Pangolin Client Cert Manager

A small Bash script to manage a local Certificate Authority (CA) and client certificates, suitable for testing mTLS solutions or even production environments with proper security measures.

Overview

This script sets up a proper OpenSSL CA structure, allowing for certificate issuance, revocation, and CRL generation. It includes an interactive menu for ease of use.

Features

  • Create a CA with optional passphrase protection.
  • Add client certificates, deriving subject from CA with optional passphrase.
  • List clients with expiration dates.
  • Remove client files.
  • Revoke certificates.
  • Generate Certificate Revocation List (CRL).
  • View certificate details.
  • Verify client certificates.
  • Delete entire CA.
  • Production-ready features: Passphrase protection, longer validity periods, revocation support.

Requirements

  • OpenSSL installed and available in PATH.
  • Bash shell.

Usage

Run the script:

./pcm.sh

This will display the interactive menu. Follow the prompts for each operation.

Production Considerations

  • Security: Always use passphrases for private keys in production. Secure the ca/private directory (e.g., chmod 700). Do not expose private keys.
  • Validity Periods: The script uses longer defaults (5 years for CA, 2 years for clients), but adjust as needed in the code.
  • Revocation: Regularly generate and distribute the CRL (ca/crl/crl.pem) to relying parties.
  • Backup: Backup the entire ca directory, especially index.txt, serial, and private/ca.key.
  • Best Practices: This is a simple tool. For high-security production, consider hardware security modules (HSM), auditing, and compliance with standards like RFC 5280. Do not use self-signed CAs in public-facing production without understanding the risks.
  • Customization: Edit the script to change key sizes, algorithms (e.g., switch to ECDSA), or add more extensions in openssl.cnf.

Example Workflow

  1. Create CA: Answer DN questions, choose passphrase.
  2. Add Client: Provide name, choose passphrase.
  3. If needed, revoke a client and generate CRL.

Directory Structure

  • ca/
    • private/ca.key: CA private key.
    • certs/ca.crt: CA certificate.
    • ca.pem: CA PEM (cert + key).
    • ca.p12: CA PKCS#12.
    • crl/crl.pem: Certificate Revocation List.
    • clients/<client_name>/: Client-specific files (key, crt, pem, p12).
    • newcerts/: Copies of issued certs by serial.
    • index.txt, serial, crlnumber: OpenSSL CA database files.
    • openssl.cnf: Configuration file.

License

MIT License. Use at your own risk.

Author

HHF Technology, 2025.

About

A tool for managing a local CA and client certificates for testing or production mTLS.

Topics

pangolin mtls client-certificate-authentication

Resources

Readme

License

GPL-3.0 license
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages