Last active
December 23, 2021 09:55
-
-
Save yorickdewid/94d67a812544f37a62a7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
HOME = . | |
RANDFILE = .rnd | |
[ ca ] | |
default_ca = CA_default # The default ca section | |
[ CA_default ] | |
dir = . # Where everything is kept | |
certs = $dir/cert # Where the issued certs are kept | |
crl_dir = $dir # Where the issued crl are kept | |
database = $dir/index.db # database index file. | |
unique_subject = yes # Set to 'no' to allow creation of | |
# several ctificates with same subject. | |
new_certs_dir = $dir # default place for new certs. | |
certificate = $certs/ca.crt # The CA certificate | |
serial = $dir/serial # The current serial number | |
private_key = $dir/priv/ca.key # The private key | |
RANDFILE = $dir/.rnd # private random number file | |
x509_extensions = v3_ca # The extentions to add to the cert | |
copy_extensions = copy | |
name_opt = ca_default # Subject Name options | |
cert_opt = ca_default # Certificate field options | |
default_days = 7300 # how long to certify for | |
default_crl_days= 30 # how long before next CRL | |
default_md = sha256 # use public key default MD | |
preserve = no # keep passed DN ordering | |
policy = policy_match | |
[ policy_match ] | |
countryName = supplied | |
stateOrProvinceName = optional | |
organizationName = supplied | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
[ req ] | |
default_bits = 4096 | |
default_keyfile = priv/ca.key | |
distinguished_name = req_distinguished_name | |
attributes = req_attributes | |
x509_extensions = v3_ca | |
default_md = sha256 | |
input_password = <password> | |
output_password = <password> | |
string_mask = utf8only | |
[ req_distinguished_name ] | |
countryName = Country Name (2 letter code) | |
countryName_default = US | |
countryName_min = 2 | |
countryName_max = 2 | |
0.organizationName = Organization Name | |
0.organizationName_default = Corporation | |
commonName = Common Name | |
commonName_default = Global CA Root | |
commonName_max = 64 | |
[ req_attributes ] | |
challengePassword = Password | |
challengePassword_min = 4 | |
challengePassword_max = 20 | |
[ v3_ca ] | |
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement,keyCertSign, cRLSign | |
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping | |
subjectKeyIdentifier=hash | |
authorityKeyIdentifier=keyid:always,issuer | |
basicConstraints = CA:true | |
nsCertType = sslCA, emailCA |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
HOME = . | |
RANDFILE = .rnd | |
[ ca ] | |
default_ca = CA_default # The default ca section | |
[ CA_default ] | |
dir = . # Where everything is kept | |
certs = $dir/cert # Where the issued certs are kept | |
crl_dir = $dir # Where the issued crl are kept | |
database = $dir/index.db # database index file. | |
unique_subject = no # Set to 'no' to allow creation of | |
# several ctificates with same subject. | |
new_certs_dir = $dir/cert # default place for new certs. | |
certificate = $certs/intermediate.crt # The CA certificate | |
serial = $dir/serial # The current serial number | |
private_key = $dir/priv/intermediate.key # The private key | |
RANDFILE = .rnd # private random number file | |
x509_extensions = usr_cert # The extentions to add to the cert | |
copy_extensions = copy | |
name_opt = ca_default # Subject Name options | |
cert_opt = ca_default # Certificate field options | |
default_days = 365 # how long to certify for | |
default_crl_days= 30 # how long before next CRL | |
default_md = sha256 # use public key default MD | |
preserve = no # keep passed DN ordering | |
policy = policy_match | |
[ policy_match ] | |
countryName = optional | |
stateOrProvinceName = optional | |
organizationName = optional | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
[ req ] | |
default_bits = 2048 | |
default_keyfile = priv/client.key | |
distinguished_name = req_distinguished_name | |
attributes = req_attributes | |
x509_extensions = usr_cert | |
default_md = sha256 | |
input_password = <password> | |
output_password = <password> | |
string_mask = utf8only | |
[ req_distinguished_name ] | |
countryName = Country Name (2 letter code) | |
countryName_default = US | |
countryName_min = 2 | |
countryName_max = 2 | |
stateOrProvinceName = State or Province Name (full name) | |
stateOrProvinceName_default = CA | |
localityName = Locality Name (eg, city) | |
localityName_default = Los Angeles | |
0.organizationName = Organization Name (eg, company) | |
0.organizationName_default = Corporation | |
organizationalUnitName = Organizational Unit Name (eg, section) | |
commonName = Common Name | |
commonName_max = 64 | |
emailAddress = Email Address | |
emailAddress_max = 64 | |
[ req_attributes ] | |
challengePassword = Password | |
challengePassword_min = 4 | |
challengePassword_max = 20 | |
[ usr_cert ] | |
basicConstraints=CA:FALSE | |
keyUsage = digitalSignature, keyEncipherment | |
extendedKeyUsage = serverAuth, clientAuth | |
subjectKeyIdentifier=hash | |
authorityKeyIdentifier=keyid,issuer | |
# subjectAltName = @alt_names | |
[ alt_names ] | |
DNS.1 = <domain> | |
IP.1 = <ip> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# Small wizard to create a chain of trust using openssl | |
# including one root certificat, an intermediate certificate | |
# and multiple clien certificates. The openssl config is done | |
# using the separate files. | |
# Constants | |
CONFCA=ca.cnf | |
CONFIM=im.cnf | |
CONFCL=cl.cnf | |
# Check for config | |
test -f $CONFCA || exit 0 | |
test -f $CONFIM || exit 0 | |
test -f $CONFCL || exit 0 | |
if ! type "openssl" > /dev/null; then | |
echo "OpenSSL in not installed" | |
exit 0 | |
fi | |
# Create directories | |
test -d cert || mkdir cert | |
test -d priv || mkdir priv | |
test -d req || mkdir req | |
touch index.db | |
LANG=C | |
export LANG | |
ask() { | |
while true; do | |
if [ "${2:-}" = "Y" ]; then | |
prompt="Y/n" | |
default=Y | |
elif [ "${2:-}" = "N" ]; then | |
prompt="y/N" | |
default=N | |
else | |
prompt="y/n" | |
default= | |
fi | |
# Ask the question | |
read -p "$1 [$prompt] " REPLY | |
# Default? | |
if [ -z "$REPLY" ]; then | |
REPLY=$default | |
fi | |
# Check if the reply is valid | |
case "$REPLY" in | |
Y*|y*) return 0 ;; | |
N*|n*) return 1 ;; | |
esac | |
done | |
} | |
# Create CA | |
ca () { | |
openssl req -new -config $CONFCA -nodes -out req/ca.csr | |
openssl ca -create_serial -selfsign -in req/ca.csr -out cert/ca.crt -config $CONFCA | |
openssl verify -CAfile cert/ca.crt cert/ca.crt | |
} | |
# Create intermediate | |
intermediate () { | |
if [ ! -f cert/ca.crt ] || [ ! -f priv/ca.key ]; then | |
echo "No CA root certificate present" | |
exit 0 | |
fi | |
openssl req -new -config $CONFIM -nodes -out req/intermediate.csr | |
openssl ca -config $CONFIM -in req/intermediate.csr -out cert/intermediate.crt | |
openssl verify -CAfile cert/ca.crt cert/intermediate.crt | |
cat cert/intermediate.crt cert/ca.crt > cert/ca-bundle.crt | |
} | |
# Create client | |
client () { | |
if [ ! -f cert/intermediate.crt ] || [ ! -f priv/intermediate.key ]; then | |
echo "No CA root intermediate present" | |
exit 0 | |
fi | |
echo "To add DNS and/or IP change subjectAltName in $CONFCL file" | |
openssl req -new -config $CONFCL -nodes -out req/client.csr | |
openssl ca -config $CONFCL -in req/client.csr -out cert/client.crt | |
openssl verify -CAfile cert/ca-bundle.crt cert/client.crt | |
if ask "Export all formats?" Y; then | |
openssl x509 -in cert/client.crt -out cert/client.der -outform DER | |
openssl pkcs12 -export -out cert/client.p12 -in cert/client.crt -inkey priv/client.key -chain -CAfile cert/ca-bundle.crt | |
openssl crl2pkcs7 -nocrl -certfile cert/client.crt -out cert/client.p7b -certfile cert/ca-bundle.crt | |
fi | |
} | |
# Cleanup | |
if [ "$1" == "clean" ]; then | |
rm -rf cert priv req index.* .rnd serial* *.pem | |
exit 0 | |
fi | |
# Help | |
if [ "$1" == "help" ]; then | |
echo "Usage: genchain <clean>" >&2 | |
exit 0 | |
fi | |
if ask "Create CA root?" Y; then | |
ca | |
fi | |
if ask "Create intermediate?" Y; then | |
intermediate | |
fi | |
if ask "Create client?" Y; then | |
client | |
fi | |
echo "All certificates are create in cert/" | |
exit 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
HOME = . | |
RANDFILE = .rnd | |
[ ca ] | |
default_ca = CA_default # The default ca section | |
[ CA_default ] | |
dir = . # Where everything is kept | |
certs = $dir/cert # Where the issued certs are kept | |
crl_dir = $dir # Where the issued crl are kept | |
database = $dir/index.db # database index file. | |
unique_subject = yes # Set to 'no' to allow creation of | |
# several ctificates with same subject. | |
new_certs_dir = $dir/cert # default place for new certs. | |
certificate = $certs/ca.crt # The CA certificate | |
serial = $dir/serial # The current serial number | |
private_key = $dir/priv/ca.key # The private key | |
RANDFILE = $dir/.rnd # private random number file | |
x509_extensions = v3_ca # The extentions to add to the cert | |
copy_extensions = copy | |
name_opt = ca_default # Subject Name options | |
cert_opt = ca_default # Certificate field options | |
default_days = 3650 # how long to certify for | |
default_crl_days= 30 # how long before next CRL | |
default_md = sha256 # use public key default MD | |
preserve = no # keep passed DN ordering | |
policy = policy_match | |
[ policy_match ] | |
countryName = match | |
stateOrProvinceName = optional | |
organizationName = match | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
[ req ] | |
default_bits = 2048 | |
default_keyfile = priv/intermediate.key | |
distinguished_name = req_distinguished_name | |
attributes = req_attributes | |
x509_extensions = v3_ca | |
default_md = sha256 | |
input_password = <password> | |
output_password = <password> | |
string_mask = utf8only | |
[ req_distinguished_name ] | |
countryName = Country Name (2 letter code) | |
countryName_default = US | |
countryName_min = 2 | |
countryName_max = 2 | |
0.organizationName = Organization Name | |
0.organizationName_default = Corporation | |
commonName = Common Name | |
commonName_default = External CA G2 | |
commonName_max = 64 | |
[ req_attributes ] | |
challengePassword = Password | |
challengePassword_min = 4 | |
challengePassword_max = 20 | |
[ v3_ca ] | |
subjectKeyIdentifier=hash | |
authorityKeyIdentifier=keyid:always,issuer | |
basicConstraints = CA:true, pathlen:0 | |
keyUsage = cRLSign, keyCertSign | |
nsCertType = sslCA, emailCA |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment