How to Setup a Sigul Client
This post will explain the process of setting up sigul clients for a working sigul setup. I have automated a portion of the tasks with a script, but I will go over both methods of manually setting up a client and the slightly more automated setup.
Quick Overview of Sigul
There are at least 3 separate computers involved in the sigul setup(server, bridge, and client should be separate computers):
1. The Sigul Server is completely cut off from all network except contact with the Sigul Bridge.
2. The Sigul Bridge allows sigul clients to connect to it, and talks to the Sigul Server for the client’s request.
3. The Sigul Client communicates with the bridge, and makes requests such as: sign this package, or list users.
Using a script to setup more clients
The script is in the root directory of the sigul client and must be run as root. It can be used by executing the script, and specifying a username as an argument:
What Does the Script Do?
The script folder contains extra files that it copies over to the users directory.
These files include:
1. sigul client database – which already contains the bridge cert, so that you only need to add the new user cert.
2. a copy of sigulsign_unsigned.py
3. the sigul client config
These files are copied over to the /home/username/.sigul folder. Then the script generates a client cert for the user. Finally it grants the user key access, for this you need to know the passphrase for the key, and use any sigul admin account. It will also give you a warning to make sure you created a admin user on the sigul server.
Create a Admin
Login to the Sigul Server click here if you don’t know how. Once you have logged into the sigul server you need to run the add admin command:
The admin name should probably match the username on the Sigul Client. Make sure that your admin users change both their admin password and passphrase after you give it to them, click here for information on how to do that.
Manual Process of Setting Up Sigul Clients
The first step is the do the above step, and Create a Admin. Look for the heading above on this page(Create a Admin) and follow the instructions.
Next give access to the key to the users:
sigul grant-key-access pidora-18 username
This process gets a little complicated because you need to use the Sigul Bridge as well. First export the CA from the Sigul Bridge, this can be done by specifying the directory of the Sigul Bridge database and the name of the CA. The Sigul Bridge database is probably kept in /var/lib/sigul.
On the Bridge:
pk12util -d [directory of database] -o sigul-ca.p12 -n [name of your CA]
Copy the output file(sigul-ca.p12) from the bridge to the clients. When the clients are setup, delete this file, as it should not exist outside the database.
Log into a client user and create a new Sigul Client database:
mkdir ~/.sigul/ certutil -d ~/.sigul/ -N
Import the CA that you copied into the client database:
pk12util -d ~/.sigul/ -i [name of CA file]
Must then modify the trust attributes of the CA and mark it as valid:
certutil -d ~/.sigul/ -M -n [name of your CA] -t CT,,
Create the client cert:
certutil -d ~/.sigul/ -S -n sigul-client-cert -s 'CN=username ' -c [name of your CA] -t u,, -v 120
The CN should match username of both sigul admin and linux user. The -S will create a cert and add it to the database. The -n is the name of the cert. The -c specifies the name of the CA. The -t u,, specifies that this is a user cert. Finally the -v means that this is valid for 120 months.
The manual setup for the client is complete, you should go here and try some of the client tests.