cagerton/README.md

## README.md

      
    Raw
  

              README.md
            
          
    TinyCA

This is handy for genrating transient keys and certificates used for unit tests.
Notable files generated by running tinyca.sh:

ca.pem - This is the root CA which should be added to the test client's trust store.
server.key - This is your server's secret key.
server.pem - This is your server's certificate, good for example.com and *.example.com.
expired.pem - This is an expired version of the server certificate.
ca - This directory contains the ca secrets and internals.

Disclaimer: This does not include appropriate security measures for security critical PKI, and that includes your system's trust store.

  
## tinyca.cnf
[ ca]
default_ca  = tinyca

[ tinyca ]
dir = ./ca
certs       = $dir/certs
database    = $dir/index.txt
serial      = $dir/serial
private_key = $dir/ca.key
certificate = ./ca.pem
new_certs_dir = $certs
name_opt    = ca_default
cert_opt    = ca_default
unique_subject = no

x509_extensions = v3_ca
default_md = sha256
policy      = policy_anything
preserve    = no
email_in_dn = false
default_days    = 36500

[ policy_anything ]
organizationName = optional
commonName      = supplied
emailAddress    = optional

[ req ]
distinguished_name  = req_distinguished_name
string_mask = utf8only
x509_extensions = v3_req
req_extensions = v3_req
attributes      = req_attributes

[ req_attributes ]

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ req_distinguished_name ]
commonName          = Common Name
commonName_max      = 64
emailAddress            = Email Address
emailAddress_max        = 64

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:TRUE
keyUsage = critical,cRLSign,keyCertSign

[ server ]
basicConstraints  = critical,CA:FALSE
keyUsage = critical,digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

## tinyca.sh
#!/usr/bin/env bash
set -e
OPENSSL_BIN=openssl
CONFIG=tinyca.cnf

mkdir -p ca/certs
touch ca/index.txt

${OPENSSL_BIN}  ecparam -genkey -name prime256v1 > ca/ca.key

${OPENSSL_BIN} req -new -key ca/ca.key -out ca/ca.req -sha256 -extensions v3_ca -config "${CONFIG}" \
  -subj "/O=Unit Test, Inc./CN=Test Root CA"

${OPENSSL_BIN} ca -create_serial -out ca.pem -keyfile ca/ca.key -selfsign -extensions v3_ca -batch \
   -config "${CONFIG}" -infiles ca/ca.req

${OPENSSL_BIN} ecparam -genkey -name prime256v1  > server.key

${OPENSSL_BIN} req -new -sha256 -key server.key -out server.req -config "${CONFIG}" \
  -subj "/O=Demo, Inc./CN=example.com"

${OPENSSL_BIN} ca -extensions server -in server.req -out server.pem -batch -keyfile ./ca/ca.key -cert ca.pem \
  -config <(cat "${CONFIG}" <(printf "subjectAltName = \"DNS:*.example.com,DNS:example.com\""))

${OPENSSL_BIN} ca -extensions server -in server.req -out expired.pem -batch -keyfile ./ca/ca.key -cert ca.pem \
  -config <(cat "${CONFIG}" <(printf "subjectAltName = \"DNS:*.example.com,DNS:example.com\"")) \
  -startdate 20001111000000Z -enddate 20001111000000Z
	[ ca]
	default_ca = tinyca

	[ tinyca ]
	dir = ./ca
	certs = $dir/certs
	database = $dir/index.txt
	serial = $dir/serial
	private_key = $dir/ca.key
	certificate = ./ca.pem
	new_certs_dir = $certs
	name_opt = ca_default
	cert_opt = ca_default
	unique_subject = no

	x509_extensions = v3_ca
	default_md = sha256
	policy = policy_anything
	preserve = no
	email_in_dn = false
	default_days = 36500

	[ policy_anything ]
	organizationName = optional
	commonName = supplied
	emailAddress = optional

	[ req ]
	distinguished_name = req_distinguished_name
	string_mask = utf8only
	x509_extensions = v3_req
	req_extensions = v3_req
	attributes = req_attributes

	[ req_attributes ]

	[ v3_req ]
	basicConstraints = CA:FALSE
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment

	[ req_distinguished_name ]
	commonName = Common Name
	commonName_max = 64
	emailAddress = Email Address
	emailAddress_max = 64

	[ v3_ca ]
	subjectKeyIdentifier=hash
	authorityKeyIdentifier=keyid:always,issuer
	basicConstraints = critical,CA:TRUE
	keyUsage = critical,cRLSign,keyCertSign

	[ server ]
	basicConstraints = critical,CA:FALSE
	keyUsage = critical,digitalSignature, keyEncipherment
	extendedKeyUsage = serverAuth,clientAuth
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer
	#!/usr/bin/env bash
	set -e
	OPENSSL_BIN=openssl
	CONFIG=tinyca.cnf

	mkdir -p ca/certs
	touch ca/index.txt

	${OPENSSL_BIN} ecparam -genkey -name prime256v1 > ca/ca.key

	${OPENSSL_BIN} req -new -key ca/ca.key -out ca/ca.req -sha256 -extensions v3_ca -config "${CONFIG}" \
	-subj "/O=Unit Test, Inc./CN=Test Root CA"

	${OPENSSL_BIN} ca -create_serial -out ca.pem -keyfile ca/ca.key -selfsign -extensions v3_ca -batch \
	-config "${CONFIG}" -infiles ca/ca.req

	${OPENSSL_BIN} ecparam -genkey -name prime256v1 > server.key

	${OPENSSL_BIN} req -new -sha256 -key server.key -out server.req -config "${CONFIG}" \
	-subj "/O=Demo, Inc./CN=example.com"

	${OPENSSL_BIN} ca -extensions server -in server.req -out server.pem -batch -keyfile ./ca/ca.key -cert ca.pem \
	-config <(cat "${CONFIG}" <(printf "subjectAltName = \"DNS:*.example.com,DNS:example.com\""))

	${OPENSSL_BIN} ca -extensions server -in server.req -out expired.pem -batch -keyfile ./ca/ca.key -cert ca.pem \
	-config <(cat "${CONFIG}" <(printf "subjectAltName = \"DNS:*.example.com,DNS:example.com\"")) \
	-startdate 20001111000000Z -enddate 20001111000000Z