+- `/api/ca/status`

+- `/api/ca/certificates`

+- `/download/ca.crt`

+## Autoritate locală de certificate

+

+Host Manager include un helper OpenSSL pentru o autoritate locală de certificate pentru hosturi. Cheia privată CA nu este în git și nu este servită prin aplicație.

+

+Locația implicită:

+

+```text

+/usr/local/xdev-host-manager/var/ca

+```

+

+Inițializare CA, pe jumper:

+

+```bash

+cd /usr/local/xdev-host-manager

+sudo scripts/ca_manager.sh init

+```

+

+Semnare CSR pentru un host:

+

+```bash

+sudo scripts/ca_manager.sh sign-csr host-id /path/to/host.csr host.madagascar.xdev.ro host

+```

+

+Aplicația web, după OTP, poate afișa statusul CA, lista certificatelor emise și poate descărca certificatul public CA prin `/download/ca.crt`.

+

+Reguli:

+

+- Se semnează preferabil CSR-uri generate pe hosturi; cheia privată a hostului nu trebuie copiată în Host Manager.

+- CA private key rămâne local pe jumper și în afara git-ului.

+- Endpoint-urile CA sunt în spatele OTP-ului.

+- Automatizarea pentru emitere direct din UI se adaugă ulterior doar cu helper privilegiat și audit separat.

+

+/var/

+- `scripts/ca_manager.sh` - local OpenSSL CA helper for host certificates

+

+The local host CA stores private material outside git under `var/ca`. Initialize it on jumper with:

+

+```bash

+sudo scripts/ca_manager.sh init

+```

+#!/usr/bin/env bash

+#

+# ca_manager.sh - Local host certificate authority helper.

+#

+

+set -euo pipefail

+

+CA_DIR="${HOST_MANAGER_CA_DIR:-/usr/local/xdev-host-manager/var/ca}"

+OPENSSL="${OPENSSL:-openssl}"

+DEFAULT_SUBJECT="/O=Xdev/OU=Madagascar/CN=Xdev Madagascar Local Host CA"

+DEFAULT_DAYS=3650

+HOST_CERT_DAYS=825

+

+usage() {

+    cat <<EOF

+Usage:

+  $0 init [subject]

+  $0 status-json

+  $0 list-json

+  $0 export-ca

+  $0 sign-csr name csr-file dns-name [dns-name...]

+

+Notes:

+  - Run init/sign-csr as root.

+  - CA private key is stored outside git in \$HOST_MANAGER_CA_DIR/private.

+  - The web app only reads status, issued cert metadata, and the public CA cert.

+EOF

+}

+

+die() {

+    printf '[ERROR] %s\n' "$*" >&2

+    exit 1

+}

+

+need_openssl() {

+    command -v "$OPENSSL" >/dev/null 2>&1 || die "openssl not found"

+}

+

+json_escape() {

+    perl -Mstrict -Mwarnings -e '

+        my $s = join("", <>);

+        $s =~ s/\\/\\\\/g;

+        $s =~ s/"/\\"/g;

+        $s =~ s/\n/\\n/g;

+        $s =~ s/\r/\\r/g;

+        $s =~ s/\t/\\t/g;

+        print qq{"$s"};

+    ' <<< "${1:-}"

+}

+

+safe_name() {

+    local name="${1:-}"

+    [[ "$name" =~ ^[A-Za-z0-9_.-]+$ ]] || die "unsafe name: $name"

+    printf '%s' "$name"

+}

+

+ca_cert="$CA_DIR/certs/ca.cert.pem"

+ca_key="$CA_DIR/private/ca.key.pem"

+serial_file="$CA_DIR/serial.srl"

+

+init_ca() {

+    need_openssl

+    local subject="${1:-$DEFAULT_SUBJECT}"

+    [[ ! -e "$ca_key" ]] || die "CA key already exists: $ca_key"

+

+    install -d -m 0755 "$CA_DIR" "$CA_DIR/certs" "$CA_DIR/csr" "$CA_DIR/issued" "$CA_DIR/requests"

+    install -d -m 0700 "$CA_DIR/private"

+

+    "$OPENSSL" genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out "$ca_key"

+    chmod 0600 "$ca_key"

+

+    "$OPENSSL" req -new -x509 -days "$DEFAULT_DAYS" -sha256 \

+        -key "$ca_key" \

+        -out "$ca_cert" \

+        -subj "$subject" \

+        -addext "basicConstraints=critical,CA:TRUE,pathlen:0" \

+        -addext "keyUsage=critical,keyCertSign,cRLSign" \

+        -addext "subjectKeyIdentifier=hash"

+

+    chmod 0644 "$ca_cert"

+    chown -R root:host-manager "$CA_DIR" 2>/dev/null || true

+    chown root:root "$ca_key" 2>/dev/null || true

+    chmod 0600 "$ca_key"

+}

+

+cert_field() {

+    local cert="$1"

+    local field="$2"

+    case "$field" in

+        subject) "$OPENSSL" x509 -in "$cert" -noout -subject | sed 's/^subject=//' ;;

+        issuer) "$OPENSSL" x509 -in "$cert" -noout -issuer | sed 's/^issuer=//' ;;

+        not_before) "$OPENSSL" x509 -in "$cert" -noout -startdate | sed 's/^notBefore=//' ;;

+        not_after) "$OPENSSL" x509 -in "$cert" -noout -enddate | sed 's/^notAfter=//' ;;

+        fingerprint) "$OPENSSL" x509 -in "$cert" -noout -fingerprint -sha256 | sed 's/^sha256 Fingerprint=//' ;;

+        serial) "$OPENSSL" x509 -in "$cert" -noout -serial | sed 's/^serial=//' ;;

+        *) return 1 ;;

+    esac

+}

+

+status_json() {

+    need_openssl

+    if [[ ! -f "$ca_cert" ]]; then

+        printf '{"initialized":false,"ca_dir":'

+        json_escape "$CA_DIR"

+        printf ',"certificates":0}\n'

+        return

+    fi

+

+    local count=0

+    shopt -s nullglob

+    local cert

+    for cert in "$CA_DIR"/issued/*.cert.pem; do

+        count=$((count + 1))

+    done

+    shopt -u nullglob

+

+    printf '{"initialized":true'

+    printf ',"ca_dir":'; json_escape "$CA_DIR"

+    printf ',"subject":'; json_escape "$(cert_field "$ca_cert" subject)"

+    printf ',"not_before":'; json_escape "$(cert_field "$ca_cert" not_before)"

+    printf ',"not_after":'; json_escape "$(cert_field "$ca_cert" not_after)"

+    printf ',"fingerprint_sha256":'; json_escape "$(cert_field "$ca_cert" fingerprint)"

+    printf ',"certificates":%s' "$count"

+    printf '}\n'

+}

+

+list_json() {

+    need_openssl

+    printf '['

+    local first=1 cert name

+    shopt -s nullglob

+    for cert in "$CA_DIR"/issued/*.cert.pem; do

+        name="$(basename "$cert" .cert.pem)"

+        if [[ "$first" -eq 0 ]]; then

+            printf ','

+        fi

+        first=0

+        printf '{"name":'; json_escape "$name"

+        printf ',"subject":'; json_escape "$(cert_field "$cert" subject)"

+        printf ',"issuer":'; json_escape "$(cert_field "$cert" issuer)"

+        printf ',"serial":'; json_escape "$(cert_field "$cert" serial)"

+        printf ',"not_before":'; json_escape "$(cert_field "$cert" not_before)"

+        printf ',"not_after":'; json_escape "$(cert_field "$cert" not_after)"

+        printf ',"fingerprint_sha256":'; json_escape "$(cert_field "$cert" fingerprint)"

+        printf '}'

+    done

+    shopt -u nullglob

+    printf ']\n'

+}

+

+export_ca() {

+    [[ -f "$ca_cert" ]] || die "CA is not initialized"

+    cat "$ca_cert"

+}

+

+sign_csr() {

+    need_openssl

+    [[ -f "$ca_key" && -f "$ca_cert" ]] || die "CA is not initialized"

+    local name csr days ext cert

+    name="$(safe_name "${1:-}")"

+    csr="${2:-}"

+    shift 2 || true

+    [[ -f "$csr" ]] || die "missing CSR file: $csr"

+    [[ "$#" -ge 1 ]] || die "at least one DNS SAN is required"

+

+    cert="$CA_DIR/issued/$name.cert.pem"

+    [[ ! -e "$cert" ]] || die "certificate already exists: $cert"

+    ext="$(mktemp)"

+    {

+        printf 'basicConstraints=critical,CA:FALSE\n'

+        printf 'keyUsage=critical,digitalSignature,keyEncipherment\n'

+        printf 'extendedKeyUsage=serverAuth,clientAuth\n'

+        printf 'subjectAltName='

+        local first=1 dns

+        for dns in "$@"; do

+            [[ "$dns" =~ ^[A-Za-z0-9_.-]+$ ]] || die "unsafe DNS SAN: $dns"

+            if [[ "$first" -eq 0 ]]; then

+                printf ','

+            fi

+            first=0

+            printf 'DNS:%s' "$dns"

+        done

+        printf '\n'

+    } > "$ext"

+

+    cp "$csr" "$CA_DIR/csr/$name.csr.pem"

+    "$OPENSSL" x509 -req -sha256 \

+        -in "$csr" \

+        -CA "$ca_cert" \

+        -CAkey "$ca_key" \

+        -CAserial "$serial_file" \

+        -CAcreateserial \

+        -days "$HOST_CERT_DAYS" \

+        -extfile "$ext" \

+        -out "$cert"

+    rm -f "$ext"

+    chmod 0644 "$cert" "$CA_DIR/csr/$name.csr.pem"

+    chown root:host-manager "$cert" "$CA_DIR/csr/$name.csr.pem" 2>/dev/null || true

+    printf '%s\n' "$cert"

+}

+

+cmd="${1:-}"

+case "$cmd" in

+    init) shift; init_ca "$@" ;;

+    status-json) status_json ;;

+    list-json) list_json ;;

+    export-ca) export_ca ;;

+    sign-csr) shift; sign_csr "$@" ;;

+    -h|--help|help|'') usage ;;

+    *) die "unknown command: $cmd" ;;

+esac

+    if ($method eq 'GET' && $path eq '/api/ca/status') {

+        return send_json_raw($client, 200, ca_manager_json('status-json'));

+    }

+    if ($method eq 'GET' && $path eq '/api/ca/certificates') {

+        return send_json_raw($client, 200, ca_manager_json('list-json'));

+    }

+    if ($method eq 'GET' && $path eq '/download/ca.crt') {

+        return send_file($client, ca_cert_path(), 'application/x-pem-file; charset=utf-8', 'xdev-madagascar-host-ca.crt');

+    }

+sub ca_script_path {

+    return "$project_dir/scripts/ca_manager.sh";

+}

+

+sub ca_dir {

+    return $ENV{HOST_MANAGER_CA_DIR} || "$project_dir/var/ca";

+}

+

+sub ca_cert_path {

+    return ca_dir() . "/certs/ca.cert.pem";

+}

+

+sub ca_manager_json {

+    my ($command) = @_;

+    my $script = ca_script_path();

+    die "CA manager script is missing\n" unless -x $script;

+    local $ENV{HOST_MANAGER_CA_DIR} = ca_dir();

+    open my $fh, '-|', $script, $command or die "Cannot run CA manager\n";

+    local $/;

+    my $out = <$fh>;

+    close $fh or die "CA manager failed\n";

+    return $out || '{}';

+}

+

+sub send_json_raw {

+    my ($client, $status, $json_body, $extra_headers) = @_;

+    return send_response($client, $status, $json_body, 'application/json; charset=utf-8', $extra_headers);

+}

+

+      <section class="panel">

+        <div class="panel-head">

+          <h2>Certificate Authority</h2>

+          <a class="linkbtn" href="/download/ca.crt">ca.crt</a>

+        </div>

+        <div class="problems" id="ca-status"></div>

+      </section>

+

+      await renderCa();

+    async function renderCa() {

+      try {

+        const status = await api('/api/ca/status');

+        if (!status.initialized) {

+          $('ca-status').innerHTML = '<div class="problem"><strong>not initialized</strong> Run <code>sudo scripts/ca_manager.sh init</code> on jumper.</div>';

+          return;

+        }

+        const certs = await api('/api/ca/certificates');

+        $('ca-status').innerHTML = `

+          <div class="muted" style="display:grid;gap:6px">

+            <div><strong>${escapeHtml(status.subject || '')}</strong></div>

+            <div>SHA256 ${escapeHtml(status.fingerprint_sha256 || '')}</div>

+            <div>valid ${escapeHtml(status.not_before || '')} - ${escapeHtml(status.not_after || '')}</div>

+            <div>${certs.length} issued certificate(s)</div>

+          </div>`;

+      } catch (e) {

+        $('ca-status').innerHTML = `<div class="problem"><strong>CA status unavailable</strong> ${escapeHtml(e.message)}</div>`;

+      }

+    }

+