Robot CA installation

This page should tell you what you need to know to install and run a Robot CA of your own. It basically describes my configuration. I run robotca as its own user.

Requirements

I'm running Robot CA on a Debian GNU/Linux system. It relies on a number of Perl modules and other supporting programs to work, and they're all provided by Debian packages.

Perl modules and associated Debian packages

ModuleDebian packagePurpose
Config::IniFiles libconfig-inifiles-perl The robot's config file is in INI format.
Digest::SHA1 libdigest-sha1-perl The robot uses SHA1 hashes in its history file.
Expect libexpect-perl Used to interact with gpg to sign keys.
Getopt::Mixed libgetopt-mixed-perl Used to parse command line options
Mail::Send libmailtools-perl Used to send response email.

Other things

ItemDebian packagePurpose
Procmail procmail Very useful, but you could get by without it
GnuPG gnupg Used as the back end for all key handling.
Postfix postfix-tls Get incoming mail. Any mail transport agent should work.

Setup

These are the steps I took to install a working Robot CA (after getting all the requirements installed).

  1. I created a robotca account.
  2. I made a simple .procmailrc to pipe incoming mail to the robotca script. 
    LOGFILE=$HOME/procmail-log

:0
* ^FROM_MAILER
/dev/null

:0
* ^FROM_DAEMON
/dev/null

:0:$HOME/rcalock
| /home/robotca/robotca

    I have Procmail locking on the script recipe to keep a mail flood from flooring the machine. It appears Procmail forks and returns to Postfix while my script runs, so Postfix's concurrent delivery limits don't stop the robot from running out of control. If you're not worried about that, you can remove the lock file. The robotca script does internal locking to make sure it doesn't stomp on itself.

    The LOGFILE option is set for debugging. There's no reason to do it on a robot you know is working.

  3. I set Postfix to limit local deliveries to two at a time. In main.cf, I set local_destination_concurrency_limit = 2. Since Procmail is locking, this just means that it only runs two Procmails at a time (one running robotca, and one waiting for the lock file).
  4. Create a reasonable robotca.ini file.
  5. echo '1;' > history at the shell. This creates the minimal valid history file. If the history file isn't there, robotca won't create it.
  6. Create a key for it. Log in as the robotca user and type gpg --gen-key at the command line. I recommend creating a signing-only DSA key (I see no reason to encrypt anything for the robot).
  7. Test it.

    From the command line, you can just pipe a key into it, and it will process it as if it had been mailed. Give it options -d 1 to watch it work. That will also turn off history checking, so it won't refuse to sign the key you just signed a minute ago.