git: 1ff18addddfe - main - security/p5-openxpki-clca: Toolkit for root CA
Date: Sun, 28 Sep 2025 09:30:59 UTC
The branch main has been updated by fuz:
URL: https://cgit.FreeBSD.org/ports/commit/?id=1ff18addddfe2b75bcb2176b90559061359236e7
commit 1ff18addddfe2b75bcb2176b90559061359236e7
Author: Sergei Vyshenski <svysh.fbsd@gmail.com>
AuthorDate: 2025-09-23 20:26:07 +0000
Commit: Robert Clausecker <fuz@FreeBSD.org>
CommitDate: 2025-09-28 09:29:33 +0000
security/p5-openxpki-clca: Toolkit for root CA
Command Line Certificate Authority (clca) is a collection of tools (written in
Bash and Perl atop of OpenSSL or LibreSSL) that allow for basic PKI operations
such as Sub CA certificate issuance (signing certificate requests), certificate
revocation and CRL issuance. Originally designed to be used for a Root CA, it
may also be used for lower level CAs or even end entity certificates as well.
https://github.com/openxpki/clca
PR: 272312
Event: EuroBSDcon 2025
---
security/p5-openxpki-clca/Makefile | 54 +++++++++++++++++++
security/p5-openxpki-clca/distinfo | 3 ++
security/p5-openxpki-clca/files/pkg-message.in | 73 ++++++++++++++++++++++++++
security/p5-openxpki-clca/pkg-descr | 16 ++++++
security/p5-openxpki-clca/pkg-plist | 19 +++++++
5 files changed, 165 insertions(+)
diff --git a/security/p5-openxpki-clca/Makefile b/security/p5-openxpki-clca/Makefile
new file mode 100644
index 000000000000..51cf5fd18024
--- /dev/null
+++ b/security/p5-openxpki-clca/Makefile
@@ -0,0 +1,54 @@
+PORTNAME= openxpki-clca
+DISTVERSIONPREFIX= v
+DISTVERSION= 1.19
+CATEGORIES= security perl5
+PKGNAMEPREFIX= p5-
+
+MAINTAINER= svysh.fbsd@gmail.com
+COMMENT= Toolkit for basic PKI operations in small CA like root CA
+
+LICENSE= GPLv2
+LICENSE_FILE= ${WRKSRC}/LICENSE
+
+MY_DEPENDS= bash:shells/bash \
+ p5-Class-Std>=0:devel/p5-Class-Std \
+ p5-Regexp-Common>=0:textproc/p5-Regexp-Common \
+ p5-Template-Toolkit>=0:www/p5-Template-Toolkit \
+ p5-YAML>=0:textproc/p5-YAML
+BUILD_DEPENDS= ${MY_DEPENDS}
+RUN_DEPENDS= ${MY_DEPENDS}
+
+USES= perl5 shebangfix ssl
+USE_GITHUB= yes
+GH_ACCOUNT= openxpki
+GH_PROJECT= clca
+SHEBANG_FILES= bin/*
+
+NO_ARCH= yes
+NO_BUILD= yes
+PORTSCOUT= skipv:^v?1\.[0-9] # Ignore ancient versions
+SUB_FILES= pkg-message
+
+OPTIONS_DEFINE= DOCS
+OPTIONS_SUB= yes
+
+pre-configure:
+ @${ECHO} "Patching dir names...";
+# shebangfix does not help in the middle of files:
+ ${REINPLACE_CMD} -e "s|/usr/bin/perl|${PERL}|g" ${WRKSRC}/bin/clca
+ ${REINPLACE_CMD} -e "s|/bin/bash|${LOCALBASE}/bin/bash|g" \
+ ${WRKSRC}/README.keyceremony-shared-interactive.md
+
+do-install:
+ @${MKDIR} ${STAGEDIR}${PREFIX}/bin
+ ${INSTALL_SCRIPT} ${WRKSRC}/bin/clca ${STAGEDIR}${PREFIX}/bin
+ ${INSTALL_SCRIPT} ${WRKSRC}/bin/change-quorum.sh ${STAGEDIR}${PREFIX}/bin
+ ${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
+ (cd ${WRKSRC} && ${COPYTREE_SHARE} "bin etc lib" ${STAGEDIR}${EXAMPLESDIR} \
+ "! -name *\.orig ! -name *\.bak")
+
+post-install-DOCS-on:
+ ${MKDIR} ${STAGEDIR}${DOCSDIR}
+ (cd ${WRKSRC} && ${COPYTREE_SHARE} . ${STAGEDIR}${DOCSDIR} "-name *\.md")
+
+.include <bsd.port.mk>
diff --git a/security/p5-openxpki-clca/distinfo b/security/p5-openxpki-clca/distinfo
new file mode 100644
index 000000000000..3a9f3e7e2a27
--- /dev/null
+++ b/security/p5-openxpki-clca/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1758658331
+SHA256 (openxpki-clca-v1.19_GH0.tar.gz) = 31c0a552b48c870cdfc63537c0b90f0cab0acc096f101a37571c94bda4a85727
+SIZE (openxpki-clca-v1.19_GH0.tar.gz) = 46303
diff --git a/security/p5-openxpki-clca/files/pkg-message.in b/security/p5-openxpki-clca/files/pkg-message.in
new file mode 100644
index 000000000000..0dc7680b1c63
--- /dev/null
+++ b/security/p5-openxpki-clca/files/pkg-message.in
@@ -0,0 +1,73 @@
+[
+{ type: install
+ message: <<EOM
+- Create root directory for your root certificate authority (CA),
+ e.g. "/ca_home":
+ mkdir -p /ca_home/private
+- Publish it in your environment as CA_HOME (this name is fixed):
+ e.g. export CA_HOME=/ca_home
+- Populate it as:
+ cp -pR %%EXAMPLESDIR%%/ /ca_home
+ cp -pR %%DOCSDIR%%/ /ca_home
+- Follow advice at:
+ /ca_home/*.md (patched for FreeBSD) or
+ https://github.com/openxpki/clca (for original Debian Linux)
+- Revise your configuration in
+ /ca_home/etc/*
+ /ca_home/bin/*
+- Run main interactive Bash script of this port as follows:
+ cd /ca_home
+ bin/clca
+- This port/package installs some scripts into %%PREFIX%%/bin:
+ clca, change-quorum.sh, provision,secret
+ Sometime it is convenient to run them from your root ca directory /ca_home,
+ as they are in your PATH. But beware of confusing them with scripts, which
+ are located in /ca_home/bin/*.
+- Use of OpenSSL or LibreSSL
+ = This package comes (from FreeBSD build cluster) bound with
+ openssl from base system, cf: /usr/ports/Mk/Uses/ssl.mk
+ If you want to use openssl or libressl from ports instead, then:
+ 1) add the name of respective port
+ (openssl, openssl30, openssl31, libressl, libressl-devel...)
+ to /etc/make.conf file e.g. like this:
+ DEFAULT_VERSIONS+= ssl=openssl31
+ 2) install security/openssl31
+ 3) cd /usr/ports/security/p5-openxpki-clca && make reinstall
+ you do not need to rebuild dependencies, installed from packages.
+ 4) repeat steps above for re-population of root directory and revising
+ configuration.
+ 5) If your system has more that one installation of openssl/libressl, you
+ may want to create a symlink (early in the path) to your preferred
+ openssl binary. Check your working copy of openssl with:
+ which openssl
+ openssl version
+ 6) Revise again your configuration in
+ /ca_home/etc/*
+ /ca_home/bin/*
+ = Using versions OpenSSL 1.0 or less can restrict features of this port.
+ = This port builds just fine with any available versions of OpenSSL or
+ LibreSSL. But its operation with LibreSSL or OpenSSL 3.1+ has not been fully
+ tested. Report your respective story to the list
+ https://sourceforge.net/p/openxpki/mailman/
+ or use OpenSSL 3.0 instead.
+- If you choose to create (as docs advice) a new optional perl script in
+ the /ca_home/bin directory, you may want to employ a construct like
+ use FindBin;
+ use lib "$FindBin::Bin/../lib";
+ inside your script, so that perl modules from /ca_home/lib directory
+ become available to your script if you need them to be.
+- Note, that this software is optimized for use from autonomous device, when
+ /ca_home directory is located on USB drive, which is extracted from computer
+ after work to be kept inside a steel vault.
+
+EOM
+}
+{ type: upgrade
+ message: <<EOM
+If you update existing installation, repeat steps for re-population of root
+directory and revising configuration. And please check if extra handwork
+is needed in your case:
+ https://github.com/openxpki/clca
+EOM
+}
+]
diff --git a/security/p5-openxpki-clca/pkg-descr b/security/p5-openxpki-clca/pkg-descr
new file mode 100644
index 000000000000..2b58d935e147
--- /dev/null
+++ b/security/p5-openxpki-clca/pkg-descr
@@ -0,0 +1,16 @@
+Command Line Certificate Authority (clca) is a collection of tools (written in
+Bash and Perl atop of OpenSSL or LibreSSL) that allow for basic PKI operations
+such as Sub CA certificate issuance (signing certificate requests), certificate
+revocation and CRL issuance. Originally designed to be used for a Root CA, it
+may also be used for lower level CAs or even end entity certificates as well.
+
+Ideal solution for off-line low-traffic CA, residing on a notebook, which is
+most of the time kept in a vault.
+
+CA private keys can be held either in encrypted files (encrypted either with
+a simple passphrase or using Shamir's Secret Sharing) or stored in an HSM.
+
+Port security/p5-openxpki-clca is an overly lightweight command-line
+alternative to its elder brother, a full-featured server-born port
+security/p5-openxpki designed for universal PKI solutions. These two ports are
+mutually independent and can coexist on the same host.
diff --git a/security/p5-openxpki-clca/pkg-plist b/security/p5-openxpki-clca/pkg-plist
new file mode 100644
index 000000000000..0f4ad36c1099
--- /dev/null
+++ b/security/p5-openxpki-clca/pkg-plist
@@ -0,0 +1,19 @@
+bin/change-quorum.sh
+bin/clca
+%%PORTDOCS%%%%DOCSDIR%%/README.keyceremony-shared-interactive.md
+%%PORTDOCS%%%%DOCSDIR%%/README.keyceremony-simple-noninteractive.md
+%%PORTDOCS%%%%DOCSDIR%%/README.md
+%%EXAMPLESDIR%%/bin/change-quorum.sh
+%%EXAMPLESDIR%%/bin/clca
+%%EXAMPLESDIR%%/bin/provision
+%%EXAMPLESDIR%%/bin/secret
+%%EXAMPLESDIR%%/etc/clca.cfg
+%%EXAMPLESDIR%%/etc/openssl.cnf
+%%EXAMPLESDIR%%/lib/OpenXPKI/Crypto/Secret.pm
+%%EXAMPLESDIR%%/lib/OpenXPKI/Crypto/Secret/Plain.pm
+%%EXAMPLESDIR%%/lib/OpenXPKI/Crypto/Secret/Split.pm
+%%EXAMPLESDIR%%/lib/OpenXPKI/Debug.pm
+%%EXAMPLESDIR%%/lib/OpenXPKI/Exception.pm
+%%EXAMPLESDIR%%/lib/OpenXPKI/Serialization/Simple.pm
+%%EXAMPLESDIR%%/lib/OpenXPKI/Server/Context.pm
+%%EXAMPLESDIR%%/lib/OpenXPKI/VERSION.pm