Skip to content

Instantly share code, notes, and snippets.

@danstn
Created April 25, 2017 13:32
Show Gist options
  • Save danstn/71154c04248021d993d74247afe17c06 to your computer and use it in GitHub Desktop.
Save danstn/71154c04248021d993d74247afe17c06 to your computer and use it in GitHub Desktop.
Home Certificate Authority
#!/usr/bin/bash
set -e
echo -n "Enter server name (i.e. nginx-server): "
read server
echo "===> [INFO] Generating certs for: $server"
echo "===> [Step 1] Generating Certificate Request (CSR)..."
openssl req -config ./openssl.cnf -new -nodes -keyout private/$server.key -out $server.csr -days 365
echo "===> [Step 2] Signing the request"
openssl ca -config ./openssl.cnf -policy policy_anything -out certs/$server.crt -infiles $server.csr
echo "===> [INFO] Deleting CSR: $server.csr"
rm -f $server.csr
echo "===> [INFO] Verifying the certificate..."
openssl x509 -in certs/$server.crt -noout -text
@danstn
Copy link
Author

danstn commented Apr 25, 2017

Resources

http://www.g-loaded.eu/2005/11/10/be-your-own-ca/

http://www.ulduzsoft.com/2012/01/creating-a-certificate-authority-and-signing-the-ssl-certificates-using-openssl/

Server certificate and key in one file

cat certs/server.crt private/server.key > private/server-key-cert.pem`
chown root.root private/server-key-cert.pem
chmod 0400 private/server-key-cert.pem
rm -f certs/server.crt
rm -f private/server.key

Revoke a Server Certificate

Revoke certificate:

openssl ca -config openssl.my.cnf -revoke certs/server.crt

Generate new CRL (Certificate Revokation List):

openssl ca -config openssl.my.cnf -gencrl -out crl/myca.crl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment