Created
May 17, 2021 16:29
-
-
Save benwarfield-usds/be10239c7f520e7ae6b7af47850db84d to your computer and use it in GitHub Desktop.
Single-file Certificate Authority for local testing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# All the rules we need to create local Certificate Authority, Server, and Client certificates | |
KEY_SIZE=4096 | |
BASE_DN?=/C=US/ST=DC/L=Washington/O=Fake\ CA | |
CA_NAME?=Fake\ Certificate\ Authority | |
# this is traditional: | |
KEYSTORE_PASSWORD?=changeit | |
TRUSTSTORE_PASSWORD?=yololol | |
CLIENT_PASSWORD?=justdoit | |
# Variables to allow customization of certificate DNs. | |
CLIENT_RDN ?= CN=$(CLIENT_CN)+UID=$(CLIENT_UID) | |
CLIENT_UID ?= $(shell echo -n $* | md5) | |
CLIENT_CN ?= $* | |
SERVER_NAME ?= localhost | |
CURL_WITH_CA = curl --cacert ca.crt https://localhost:8443/auth-info | |
.PRECIOUS: %.key %.password %.crt | |
# By default, create a server truststore and keystore, and create two different user certificates | |
default: truststore.jks keystore.p12 etl-robot.p12 tony.p12 | |
# Make a request using the CRT file and password | |
robot-demo: etl-robot.crt | |
$(CURL_WITH_CA) -E etl-robot.crt:`cat etl-robot.password` --key etl-robot.key | jq | |
# Make a request using the PKCS12 file and password | |
robot-demo-p12: etl-robot.p12 | |
$(CURL_WITH_CA) -E etl-robot.p12:justdoit | jq | |
# "clean" would be the normal name for this target, but wanted to make it a little | |
# harder to nuke everything | |
realclean: | |
rm *.{csr,key,password,crt,jks,p12} | |
# this could be rendered obsolete by just using the '-nodes' ("No DES") option to genrsa | |
%.password: | |
openssl rand -base64 32 -out $@ | |
%.key: %.password | |
openssl genrsa -aes256 -out $@ -passout file:$< $(KEY_SIZE) | |
%.csr: %.key | |
openssl req -new -key $< -out $@ -subj "$(BASE_DN)/$(CLIENT_RDN)" -passin file:$*.password -multivalue-rdn | |
%.crt: %.csr ca.crt | |
openssl x509 -req -in $< -CA ca.crt -CAkey ca.key -out $@ -passin file:ca.password -CAcreateserial | |
%.p12: %.crt | |
openssl pkcs12 -export -in $< -inkey $*.key -out $@ -name $* -passin file:$*.password -passout pass:$(CLIENT_PASSWORD) | |
server.csr: server.key | |
openssl req -new -key $< -out $@ -subj "$(BASE_DN)/CN=$(SERVER_NAME)" -passin file:server.password | |
ca.crt: ca.key | |
openssl req -x509 -new -key $< -out $@ -subj "$(BASE_DN)/CN=$(CA_NAME)" -passin file:ca.password -multivalue-rdn -days 3650 | |
keystore.p12: server.crt | |
openssl pkcs12 -export -in server.crt -inkey server.key -out $@ -name localhost -passin file:server.password -passout pass:$(KEYSTORE_PASSWORD) | |
truststore.jks: ca.crt | |
keytool -import -keystore $@ -file ./ca.crt -alias localCA -storepass $(TRUSTSTORE_PASSWORD) -noprompt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment