I have got different OpenPGP key now

[zeasypki.git] / README

zeasypki -- easy PKI
This is helper script for managing X.509 TLS PKI.

ECDSA keypairs are handled with GnuTLS'es certtool.
GOST keypairs are handled with PyGOST'es utilities
(http://www.pygost.cypherpunks.ru).

CA certificates have 10 years validity lifetime.
EE certificates have 365 days one.
EE certificates contain only domain name and a country.

Edit zeasypki to suit your needs and working environment. Probably you
want to change goston(), that activates PyGOST venv and key encryption
procedures.

* Create CA keypairs:
    $ mkdir mypki && cd mypki
    $ zeasypki ca ecdsa ecdsa-root.com
    $ zeasypki ca gost gost-root.ru

    $ zeasypki list-ca
    ca/ecdsa/ecdsa-root.com
    ca/gost/gost-root.ru

    $ print ca/ecdsa/ecdsa-root.com/*
    cer.pem
    key.pem

* Optionally encrypt them (that also can be done with EE keypairs too):
    $ zeasypki encrypt ca/ecdsa/ecdsa-root.com
    [GnuPG is invoked here]
    $ print ca/ecdsa/ecdsa-root.com/*
    cer.pem
    key.pem.enc

* Create EE keypairs:
    $ zeasypki new ee/ecdsa/ecdsa-root.com/some.domain.com

* Renew then EE keypairs:
    $ zeasypki renew ee/ecdsa/ecdsa-root.com/some.domain.com

* To get DANE SHA256 fingerprint:
    $ zeasypki dane KEY

* To get full PEM-encoded keypair:
    $ zeasypki keypair KEY

* To get remind (https://dianne.skoll.ca/projects/remind/) compatible
  calendar of certificates expiration times:
    $ zeasypki rem