Last active
September 3, 2018 13:19
-
-
Save amolkahat/b5d826a08c74efd2b9e0cd7539a17b34 to your computer and use it in GitHub Desktop.
Generating CA certificate and Server certificate with nss.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # cat ca_with_nss.sh | |
| mkdir -p /root/nssdb | |
| echo "SECret.123" > /root/nssdb/password.txt | |
| certutil -N -d /root/nssdb -f /root/nssdb/password.txt | |
| openssl rand -out /root/nssdb/noise.bin 2048 | |
| SKID="0x`openssl rand -hex 20`" | |
| OCSP="http://$HOSTNAME:8080/ca/ocsp" | |
| echo -e "y\n\ny\ny\n${SKID}\n\n\n\n${SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \ | |
| certutil -S \ | |
| -x \ | |
| -d /root/nssdb \ | |
| -f /root/nssdb/password.txt \ | |
| -z /root/nssdb/noise.bin \ | |
| -n "CA Signing Certificate" \ | |
| -s "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \ | |
| -t "CT,C,C" \ | |
| -m $RANDOM \ | |
| -k rsa \ | |
| -g 2048 \ | |
| -Z SHA256 \ | |
| -2 \ | |
| -3 \ | |
| --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation \ | |
| --extAIA \ | |
| --extSKID | |
| openssl rand -out /root/nssdb/noise.bin 2048 | |
| certutil -R \ | |
| -d /root/nssdb \ | |
| -f /root/nssdb/password.txt \ | |
| -z /root/nssdb/noise.bin \ | |
| -k rsa \ | |
| -g 2048 \ | |
| -Z SHA256 \ | |
| -s "CN=$HOSTNAME,O=RedHat" \ | |
| --extSAN dns:www.$HOSTNAME,dns:www.$HOSTNAME \ | |
| --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \ | |
| --extKeyUsage serverAuth \ | |
| -o /root/nssdb/sslserver.csr.der | |
| openssl req -inform der -in /root/nssdb/sslserver.csr.der -out /root/nssdb/sslserver.csr | |
| echo -e "y\n\ny\ny\n${SKID}\n\n\n\n${SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \ | |
| certutil -C \ | |
| -x \ | |
| -d /root/nssdb \ | |
| -f /root/nssdb/password.txt \ | |
| -m $RANDOM \ | |
| -a \ | |
| -i /root/nssdb/sslserver.csr \ | |
| -o /root/nssdb/sslserver.pem \ | |
| -2 \ | |
| -3 \ | |
| --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation \ | |
| --extAIA \ | |
| --extSKID | |
| certutil -A -d /root/nssdb \ | |
| -n "server cert" -i /root/nssdb/sslserver.pem \ | |
| -t 'u,u,u' -f /root/nssdb/password.txt | |
| certutil -L -d /root/nssdb -n "CA Signing Certificate" -a \ | |
| -o /root/nssdb/ca_cert.pem | |
| pk12util -o /root/nssdb/server_cert.p12 -n "server cert" -d /root/nssdb/ \ | |
| -w /root/nssdb/password.txt -k /root/nssdb/password.txt | |
| openssl pkcs12 -in /root/nssdb/server_cert.p12 -nocerts -out /root/nssdb/server_key.key \ | |
| -nodes --passin "pass:SECret.123" -passout "pass:SECret.123" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment