Skip to content

Instantly share code, notes, and snippets.

@dpneumo
Last active Mar 25, 2019
Embed
What would you like to do?
Create a root CA cert, an intermediate CA cert, and a server cert
Copy the 4 scripts to /home/<user>
From /home/<user>:
./setup_rootca.sh
./setup_blacklakeca.sh
ipaddr=$(ip route get 8.8.8.8 | awk '{print $7}')
SUBJ_IP=$ipaddr ./stratus_server_cert.sh
This will:
1. Setup the self signed root CA
2. Setup the blacklake intermediate CA
3. Create the stratus server cert
#
# OpenSSL configuration file.
#
HOME = .
dir = $HOME/CA/intermediate
####################################################################
[ ca ]
default_ca = CA_default
[ CA_default ]
certificate = $dir/certs/blacklakeca.cert.pem
private_key = $dir/private/blacklakeca.key.pem
certs = $dir/certs
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
crl_dir = $dir/crl
crlnumber = $dir/crlnumber
crl = $crl_dir/blacklakeca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
default_md = sha512
nameopt = ca_default
certopt = ca_default
default_days = 1095
preserve = no
policy = policy_loose
email_in_dn = yes
unique_subject = no
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 4096
default_md = sha512
distinguished_name = req_distinguished_name
string_mask = utf8only
attributes = req_attributes
x509_extensions = v3_intermediate_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (city, district)
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
[ v3_intermediate_ca ]
basicConstraints = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
subjectAltName = email:move
[ crl_ext ]
authorityKeyIdentifier = keyid:always
[ ocsp ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
#!/usr/bin/env bash
# Run: ./prep_ca_dirs.sh
# will run in user's home dir
cd /home/$(whoami)
printf "========= Prep CA dirs ==========\n"
# Prepare root CA directories in dir CA
mkdir -p CA && cd CA
mkdir -p certs newcerts csr crl private
chmod 700 private
touch index.txt
if [[ ! -e 'serial' ]]; then
echo '1000' > serial
fi
if [[ ! -e 'crlnumber' ]]; then
echo '1000' > crlnumber
fi
# Prepare intermediate CA directories in dir CA/intermediate
mkdir -p intermediate && cd intermediate
mkdir -p certs newcerts crl csr private
chmod 700 private
touch index.txt
if [[ ! -e 'serial' ]]; then
echo '1000' > serial
fi
if [[ ! -e 'crlnumber' ]]; then
echo '1000' > crlnumber
fi
cd /home/$(whoami)
printf "========= Place CA scripts ==========\n"
SRC='/vagrant/client_files'
cp $SRC/openssl/setup_rootca.sh setup_rootca.sh
cp $SRC/openssl/setup_blacklakeca.sh setup_blacklakeca.sh
cp $SRC/openssl/stratus_server_cert.sh stratus_server_cert.sh
chmod +x *.sh
#
# OpenSSL configuration file.
#
HOME = .
dir = $HOME/CA
####################################################################
[ ca ]
default_ca = CA_default
[ CA_default ]
certificate = $dir/certs/rootca.cert.pem
private_key = $dir/private/rootca.key.pem
certs = $dir/certs
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
crl_dir = $dir/crl
crlnumber = $dir/crlnumber
crl = $crl_dir/rootca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
default_md = sha512
nameopt = ca_default
certopt = ca_default
default_days = 3650
preserve = no
policy = policy_strict
email_in_dn = yes
unique_subject = no
[ policy_strict ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 4096
default_md = sha512
distinguished_name = req_distinguished_name
string_mask = utf8only
attributes = req_attributes
x509_extensions = v3_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (city, district)
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
[ v3_ca ]
basicConstraints = critical, CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
subjectAltName = email:move
[ crl_ext ]
authorityKeyIdentifier = keyid:always
[ ocsp ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
#
# OpenSSL configuration file.
#
HOME = .
dir = $HOME/CA/intermediate
####################################################################
[ ca ]
default_ca = CA_default
[ CA_default ]
certificate = $dir/certs/blacklakeca.cert.pem
private_key = $dir/private/blacklakeca.key.pem
certs = $dir/certs
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
crl_dir = $dir/crl
crlnumber = $dir/crlnumber
crl = $crl_dir/blacklakeca.crl
crl_extensions = crl_ext
default_crl_days = 30
default_md = sha512
nameopt = ca_default
certopt = ca_default
default_days = 365
preserve = no
policy = policy_loose
email_in_dn = no
unique_subject = no
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 4096
default_md = sha512
distinguished_name = req_distinguished_name
string_mask = utf8only
attributes = req_attributes
x509_extensions = server_cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (city, district)
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
[ server_cert ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = stratus.attlocal.net
DNS.2 = stratus
IP.1 = ${ENV::SUBJ_IP}
[ crl_ext ]
authorityKeyIdentifier = keyid:always
[ ocsp ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
#!/usr/bin/env bash
# Run: ./setup_blacklakeca.sh
# will run in user's home dir
cd /home/$(whoami)
casubj='/C=US/ST=Texas/L=Arlington/O=BlackLakeSoftware/OU=CertMan/CN=blacklakeca/emailAddress=funnyname@mail.us'
SRC='/vagrant/client_files'
CAint='CA/intermediate'
# Install configuration file
cp $SRC'/openssl/CA/blacklakeca.cnf' $CAint'/blacklakeca.cnf'
chmod 644 $CAint'/blacklakeca.cnf'
# Build the intermediate CA certificate
printf "\n========= Build intermediate CA with blacklakeca.cnf ==========\n"
# Generate intermediate CA csr
# Also creates and saves private key. Unencrypted!
printf "========= blacklakeca csr with blacklakeca.cnf ==========\n"
openssl req -new -subj $casubj \
-nodes -sha512 \
-keyout $CAint'/private/blacklakeca.key.pem' \
-config $CAint'/blacklakeca.cnf' \
-out $CAint'/csr/blacklakeca.csr.pem'
# Make intermediate CA private key read-only by current user
chmod 400 $CAint'/private/blacklakeca.key.pem'
# Generate the intermediate CA certificate - valid 3 yrs
printf "======= Sign blacklakeca csr with rootca cert => blacklakeca cert ======\n"
openssl ca -in $CAint'/csr/blacklakeca.csr.pem' \
-keyfile 'CA/private/rootca.key.pem' \
-cert 'CA/certs/rootca.cert.pem' \
-config $CAint'/blacklakeca.cnf' \
-extensions 'v3_intermediate_ca' \
-notext \
-out $CAint'/certs/blacklakeca.cert.pem'
# Make intermediate CA certificate read-only by all users
chmod 444 $CAint'/certs/blacklakeca.cert.pem'
# Show the intermediate CA certificate
openssl x509 -noout -text \
-in $CAint'/certs/blacklakeca.cert.pem'
openssl verify -CAfile 'CA/certs/rootca.cert.pem' \
$CAint'/certs/blacklakeca.cert.pem'
# Cert chain
cat $CAint'/certs/blacklakeca.cert.pem' \
'CA/certs/rootca.cert.pem' > $CAint'/certs/blacklakeca-chain.cert.pem'
chmod 444 $CAint'/certs/blacklakeca-chain.cert.pem'
#!/usr/bin/env bash
# Run: ./setup_rootca.sh
# will run in user's home dir
cd /home/$(whoami)
casubj='/C=US/ST=Texas/L=Arlington/O=BlackLakeSoftware/OU=CertMan/CN=rootca/emailAddress=funnyname@mail.us'
SRC='/vagrant/client_files'
# Install configuration file
cp $SRC'/openssl/CA/rootca.cnf' 'CA/rootca.cnf'
chmod 644 'CA/rootca.cnf'
# Build the root CA certificate
printf "========= Building root CA with rootca.cnf ==========\n"
openssl req -new -subj $casubj \
-nodes -newkey rsa:4096 \
-keyout 'CA/private/rootca.key.pem' \
-x509 \
-config 'CA/rootca.cnf' \
-extensions 'v3_ca' \
-out 'CA/certs/rootca.cert.pem'
# Make root CA certificate read only by all users
chmod 444 'CA/certs/rootca.cert.pem'
# Show the rootca cert
openssl x509 -noout -text \
-in 'CA/certs/rootca.cert.pem'
#!/usr/bin/env bash
# Run: ./stratus_server_cert.sh
# will run in user's home dir
cd /home/$(whoami)
servsubj='/C=US/ST=Texas/L=Arlington/O=BlackLakeSoftware/OU=Apps/CN=stratus'
SRC='/vagrant/client_files'
CAint='CA/intermediate'
# Install configuration file
cp $SRC'/openssl/CA/server.cnf' $CAint'/server.cnf'
chmod 644 $CAint'/server.cnf'
# Build Server Certificate
printf "========= Server certificate with server.cnf ==========\n"
# Generate Server csr
# Also creates and saves private key. Unencrypted!
printf "========= Server csr with server.cnf ==========\n"
openssl req -new -subj $servsubj \
-nodes -sha512 \
-keyout $CAint'/private/stratus.key.pem' \
-config $CAint'/server.cnf' \
-out $CAint'/csr/stratus.csr.pem'
# Make Server private key read-only by current user
chmod 400 $CAint'/private/stratus.key.pem'
# Generate the Server certificate - valid 1 year
printf "========= Use blacklake CA to generate Server cert ==========\n"
openssl ca -in $CAint'/csr/stratus.csr.pem' \
-keyfile $CAint'/private/blacklakeca.key.pem' \
-cert $CAint'/certs/blacklakeca.cert.pem' \
-config $CAint'/server.cnf' \
-extensions 'server_cert' \
-notext \
-out $CAint'/certs/stratus.cert.pem'
# Make Server certificate read-only by all users
chmod 444 $CAint'/certs/stratus.cert.pem'
# Show the Server certificate
openssl x509 -noout -text \
-in $CAint'/certs/stratus.cert.pem'
openssl verify -CAfile $CAint'/certs/blacklakeca-chain.cert.pem' \
$CAint'/certs/stratus.cert.pem'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment