Home Certificate Authority

home-ca.sh

#!/usr/bin/bash

set -e

echo -n "Enter server name (i.e. nginx-server): "
read server

echo "===> [INFO] Generating certs for: $server"

echo "===> [Step 1] Generating Certificate Request (CSR)..."
openssl req -config ./openssl.cnf -new -nodes -keyout private/$server.key -out $server.csr -days 365

echo "===> [Step 2] Signing the request"
openssl ca -config ./openssl.cnf -policy policy_anything -out certs/$server.crt -infiles $server.csr

echo "===> [INFO] Deleting CSR: $server.csr"
rm -f $server.csr

echo "===> [INFO] Verifying the certificate..."
openssl x509 -in certs/$server.crt -noout -text

Resources

http://www.g-loaded.eu/2005/11/10/be-your-own-ca/

http://www.ulduzsoft.com/2012/01/creating-a-certificate-authority-and-signing-the-ssl-certificates-using-openssl/

Server certificate and key in one file

cat certs/server.crt private/server.key > private/server-key-cert.pem`

chown root.root private/server-key-cert.pem
chmod 0400 private/server-key-cert.pem
rm -f certs/server.crt
rm -f private/server.key

Revoke a Server Certificate

Revoke certificate:

openssl ca -config openssl.my.cnf -revoke certs/server.crt

Generate new CRL (Certificate Revokation List):

openssl ca -config openssl.my.cnf -gencrl -out crl/myca.crl