Expect Dialog CA

This repository contains scripts meant to make managing an openssl ca less painful inside a terminal environment

View the Project on GitHub elbosso/expect-dialog-ca

Dependencies

If you did not already deduce it from there being Linux scripts - this project is meant to be used under Linux! At the moment, the only variant it has been extensively tested in is Ubuntu in its latest long term support version: 18.04.

Well, the scripts are meant to facilitate the management of OpenSSL CAs - OpenSSL must obviously be installed for them to work.

The GUI for the scripts is done with the help of Expect and Dialog - so both of them must be installed, too.

But be wary: Ubuntu might try and sneak a SNAP version past you, for example for expect. Don’t use that! it is dangerous and crappy and does not work as the normal binary. Always use the binary!

At times apt might tell you that it does not find an installation candidate for either expect or dialog. The reason for this is in most cases deactivation of universe and multiverse repositories (usually in /etc/apt/sources.list) - activate them, followed by an apt update and Ubuntu should know once again where to finde the needed packages…

Because of a bug in the dialog package, enother dependency is needed: The scripts use tput now to determine the dimensions of the terminal they run in. To access this tool, the package ncurses-bin must be installed.

Depending on your particular flavour/version of Linux, there are maybe even more components/packages needed to be installed to get the scripts working…

For operating the scripts, the GIT command line client is crucial - expecially for setting up new CAs (see next dependency below).

A further dependency is on the work of Stefan H. Holek, especially on his work on the Expert PKI Tutorial. This does not necessarily mean that the computer on which the PKI is worked needs that connection - the content of the repository can be downloaded someplace else and then copied over (see Use Case for Creating a CA further down).

For working with caa.sh, ‘dig’ needs to be installed.

There is one more optional dependency: The creation of private keys needs some form of protecting them. The scripts in this project use passwords for that. To facilitate choosing safe passwords, the scripts use makepasswd when and if available. So if you want to have the amenity of proposed passwords, you have to make sure that it is installed.

Layout of CAs managed with the scripts

The project and the scripts therein adhere to the directory layout as described and used in Expert PKI Tutorial.

The only (slight) difference is that we keep the CAs strictly separate: Even if they are members of some sort of hierarchie (meaning some are Root CAs for others), they should live in sibling directories.