Skip to content

Instantly share code, notes, and snippets.

@yorickdewid
Last active December 23, 2021 09:55
Show Gist options
  • Save yorickdewid/94d67a812544f37a62a7 to your computer and use it in GitHub Desktop.
Save yorickdewid/94d67a812544f37a62a7 to your computer and use it in GitHub Desktop.
HOME = .
RANDFILE = .rnd
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = . # Where everything is kept
certs = $dir/cert # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.db # database index file.
unique_subject = yes # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir # default place for new certs.
certificate = $certs/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
private_key = $dir/priv/ca.key # The private key
RANDFILE = $dir/.rnd # private random number file
x509_extensions = v3_ca # The extentions to add to the cert
copy_extensions = copy
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 7300 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = supplied
stateOrProvinceName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 4096
default_keyfile = priv/ca.key
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
default_md = sha256
input_password = <password>
output_password = <password>
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
0.organizationName = Organization Name
0.organizationName_default = Corporation
commonName = Common Name
commonName_default = Global CA Root
commonName_max = 64
[ req_attributes ]
challengePassword = Password
challengePassword_min = 4
challengePassword_max = 20
[ v3_ca ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement,keyCertSign, cRLSign
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
nsCertType = sslCA, emailCA
HOME = .
RANDFILE = .rnd
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = . # Where everything is kept
certs = $dir/cert # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.db # database index file.
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/cert # default place for new certs.
certificate = $certs/intermediate.crt # The CA certificate
serial = $dir/serial # The current serial number
private_key = $dir/priv/intermediate.key # The private key
RANDFILE = .rnd # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
copy_extensions = copy
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = priv/client.key
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = usr_cert
default_md = sha256
input_password = <password>
output_password = <password>
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = CA
localityName = Locality Name (eg, city)
localityName_default = Los Angeles
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Corporation
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = Password
challengePassword_min = 4
challengePassword_max = 20
[ usr_cert ]
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# subjectAltName = @alt_names
[ alt_names ]
DNS.1 = <domain>
IP.1 = <ip>
#!/bin/bash
#
# Small wizard to create a chain of trust using openssl
# including one root certificat, an intermediate certificate
# and multiple clien certificates. The openssl config is done
# using the separate files.
# Constants
CONFCA=ca.cnf
CONFIM=im.cnf
CONFCL=cl.cnf
# Check for config
test -f $CONFCA || exit 0
test -f $CONFIM || exit 0
test -f $CONFCL || exit 0
if ! type "openssl" > /dev/null; then
echo "OpenSSL in not installed"
exit 0
fi
# Create directories
test -d cert || mkdir cert
test -d priv || mkdir priv
test -d req || mkdir req
touch index.db
LANG=C
export LANG
ask() {
while true; do
if [ "${2:-}" = "Y" ]; then
prompt="Y/n"
default=Y
elif [ "${2:-}" = "N" ]; then
prompt="y/N"
default=N
else
prompt="y/n"
default=
fi
# Ask the question
read -p "$1 [$prompt] " REPLY
# Default?
if [ -z "$REPLY" ]; then
REPLY=$default
fi
# Check if the reply is valid
case "$REPLY" in
Y*|y*) return 0 ;;
N*|n*) return 1 ;;
esac
done
}
# Create CA
ca () {
openssl req -new -config $CONFCA -nodes -out req/ca.csr
openssl ca -create_serial -selfsign -in req/ca.csr -out cert/ca.crt -config $CONFCA
openssl verify -CAfile cert/ca.crt cert/ca.crt
}
# Create intermediate
intermediate () {
if [ ! -f cert/ca.crt ] || [ ! -f priv/ca.key ]; then
echo "No CA root certificate present"
exit 0
fi
openssl req -new -config $CONFIM -nodes -out req/intermediate.csr
openssl ca -config $CONFIM -in req/intermediate.csr -out cert/intermediate.crt
openssl verify -CAfile cert/ca.crt cert/intermediate.crt
cat cert/intermediate.crt cert/ca.crt > cert/ca-bundle.crt
}
# Create client
client () {
if [ ! -f cert/intermediate.crt ] || [ ! -f priv/intermediate.key ]; then
echo "No CA root intermediate present"
exit 0
fi
echo "To add DNS and/or IP change subjectAltName in $CONFCL file"
openssl req -new -config $CONFCL -nodes -out req/client.csr
openssl ca -config $CONFCL -in req/client.csr -out cert/client.crt
openssl verify -CAfile cert/ca-bundle.crt cert/client.crt
if ask "Export all formats?" Y; then
openssl x509 -in cert/client.crt -out cert/client.der -outform DER
openssl pkcs12 -export -out cert/client.p12 -in cert/client.crt -inkey priv/client.key -chain -CAfile cert/ca-bundle.crt
openssl crl2pkcs7 -nocrl -certfile cert/client.crt -out cert/client.p7b -certfile cert/ca-bundle.crt
fi
}
# Cleanup
if [ "$1" == "clean" ]; then
rm -rf cert priv req index.* .rnd serial* *.pem
exit 0
fi
# Help
if [ "$1" == "help" ]; then
echo "Usage: genchain <clean>" >&2
exit 0
fi
if ask "Create CA root?" Y; then
ca
fi
if ask "Create intermediate?" Y; then
intermediate
fi
if ask "Create client?" Y; then
client
fi
echo "All certificates are create in cert/"
exit 0
HOME = .
RANDFILE = .rnd
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = . # Where everything is kept
certs = $dir/cert # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.db # database index file.
unique_subject = yes # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/cert # default place for new certs.
certificate = $certs/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
private_key = $dir/priv/ca.key # The private key
RANDFILE = $dir/.rnd # private random number file
x509_extensions = v3_ca # The extentions to add to the cert
copy_extensions = copy
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = priv/intermediate.key
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
default_md = sha256
input_password = <password>
output_password = <password>
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
0.organizationName = Organization Name
0.organizationName_default = Corporation
commonName = Common Name
commonName_default = External CA G2
commonName_max = 64
[ req_attributes ]
challengePassword = Password
challengePassword_min = 4
challengePassword_max = 20
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true, pathlen:0
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA, emailCA
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment