jenslohmann/certifcateGeneration

## certifcateGeneration
This might be helpful when generating signed (not strictly self-signed) certificates for use in development on MacOSX.

Testing (against server using the generated server cert):
curl --trace - -3 --insecure --cert clientcert.p12:changeit --get https://localhost:443/

Troubleshooting:
- Check the keychain (Cmd-Space "Keychain Access") for old entries. Delete them :-)
- "-3" avoids some MacOSX curl quirkiness.
- "--insecure" seems to be necessary for MacOSX curl. If you find a way to use "--cacert cacert.pem" instead then tell me :-)

## config_file
[ ca ]
default_ca      = CA_default            # The default ca section

[ CA_default ]

dir            = .
database       = $dir/index.txt        # index file.
new_certs_dir  = $dir/newcerts         # new certs dir

certificate    = $dir/cacert.pem       # The CA cert
serial         = $dir/serial           # serial no file
private_key    = $dir/private/cakey.pem# CA private key
RANDFILE       = $dir/private/.rand    # random number file

default_days   = 365                   # how long to certify for
default_crl_days= 30                   # how long before next CRL
default_md     = md5                   # md to use

policy         = policy_any            # default policy
email_in_dn    = no                    # Don't add the email into cert DN

name_opt       = ca_default            # Subject name display option
cert_opt       = ca_default            # Certificate display option
x509_extensions = server_cert_extensions
copy_extensions = copy

[ server_cert_extensions ]
basicConstraints = CA:FALSE
nsCertType = server
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
issuerAltName = issuer:copy

[ policy_anything ]
countryName            = supplied
stateOrProvinceName    = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

## do.sh
#!/bin/bash -v
# Generates the CA
rm -rf private/* 2>/dev/null
rm -rf newcerts/* 2>/dev/null
mkdir private 2>/dev/null
mkdir newcerts 2>/dev/null
rm -f index.txt* 2>/dev/null
rm -f serial*
rm -f *.pem
rm -f *.key
rm -f *.req
rm -f *.p12
touch index.txt
echo "01" > serial

# Generates the signer's certificate
openssl req -new -x509 -sha512 -newkey rsa:4096 -days 3650 -keyout private/cakey.pem -out cacert.pem -passout pass:changeit <<-EOCERT
	DK
	.
	Copenhagen
	http://somesite.dk/
	.
	Jens Lohmann CA
	jens@somesite.dk
EOCERT

# Generates the request
openssl req -new -sha512 -nodes -newkey rsa:2048 -days 1096\
        -keyout private/somesite.dk.key\
        -out somesite.dk.req\
        -passout pass:changeit\
        -reqexts SAN\
        -extensions SAN\
        -subj '/CN=somesite.dk/OU=Server Certificate/O=https:\/\/somesite.dk\//C=DK'\
        -config <(cat /System/Library/OpenSSL/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:somesite.dk'))

# Signs the request
openssl ca -verbose -md sha512 -config config_file -batch -policy policy_anything -days 1096 -out somesite.dk.pem -in somesite.dk.req -passin pass:changeit

# Create the server p12 file
openssl pkcs12 -export -in somesite.dk.pem -inkey private/somesite.dk.key -certfile cacert.pem -passout pass:changeit > somesite.dk.p12

# Generate a client cert signing request
openssl req -new -sha512 -nodes -newkey rsa:2048 -days 1096 -keyout private/client.key -out client.req -passout pass:changeit <<-EOCERT
	DK
	.
	Copenhagen
	http://www.somesite.dk/
	Client Certificate
	Jens Lohmann
	jens@somesite.dk
	.
	.
EOCERT

# Signs the request
openssl ca -verbose -md sha512 -config config_file -batch -policy policy_anything -days 1096 -out client.pem -in client.req -passin pass:changeit

# Create the client p12 file
openssl pkcs12 -export -in client.pem -inkey private/client.key -certfile cacert.pem -passout pass:changeit > clientcert.p12
	This might be helpful when generating signed (not strictly self-signed) certificates for use in development on MacOSX.

	Testing (against server using the generated server cert):
	curl --trace - -3 --insecure --cert clientcert.p12:changeit --get https://localhost:443/

	Troubleshooting:
	- Check the keychain (Cmd-Space "Keychain Access") for old entries. Delete them :-)
	- "-3" avoids some MacOSX curl quirkiness.
	- "--insecure" seems to be necessary for MacOSX curl. If you find a way to use "--cacert cacert.pem" instead then tell me :-)
	[ ca ]
	default_ca = CA_default # The default ca section

	[ CA_default ]

	dir = .
	database = $dir/index.txt # index file.
	new_certs_dir = $dir/newcerts # new certs dir

	certificate = $dir/cacert.pem # The CA cert
	serial = $dir/serial # serial no file
	private_key = $dir/private/cakey.pem# CA private key
	RANDFILE = $dir/private/.rand # random number file

	default_days = 365 # how long to certify for
	default_crl_days= 30 # how long before next CRL
	default_md = md5 # md to use

	policy = policy_any # default policy
	email_in_dn = no # Don't add the email into cert DN

	name_opt = ca_default # Subject name display option
	cert_opt = ca_default # Certificate display option
	x509_extensions = server_cert_extensions
	copy_extensions = copy

	[ server_cert_extensions ]
	basicConstraints = CA:FALSE
	nsCertType = server
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer:always
	issuerAltName = issuer:copy

	[ policy_anything ]
	countryName = supplied
	stateOrProvinceName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional
	#!/bin/bash -v
	# Generates the CA
	rm -rf private/* 2>/dev/null
	rm -rf newcerts/* 2>/dev/null
	mkdir private 2>/dev/null
	mkdir newcerts 2>/dev/null
	rm -f index.txt* 2>/dev/null
	rm -f serial*
	rm -f *.pem
	rm -f *.key
	rm -f *.req
	rm -f *.p12
	touch index.txt
	echo "01" > serial

	# Generates the signer's certificate
	openssl req -new -x509 -sha512 -newkey rsa:4096 -days 3650 -keyout private/cakey.pem -out cacert.pem -passout pass:changeit <<-EOCERT
	DK
	.
	Copenhagen
	http://somesite.dk/
	.
	Jens Lohmann CA
	jens@somesite.dk
	EOCERT

	# Generates the request
	openssl req -new -sha512 -nodes -newkey rsa:2048 -days 1096\
	-keyout private/somesite.dk.key\
	-out somesite.dk.req\
	-passout pass:changeit\
	-reqexts SAN\
	-extensions SAN\
	-subj '/CN=somesite.dk/OU=Server Certificate/O=https:\/\/somesite.dk\//C=DK'\
	-config <(cat /System/Library/OpenSSL/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:somesite.dk'))

	# Signs the request
	openssl ca -verbose -md sha512 -config config_file -batch -policy policy_anything -days 1096 -out somesite.dk.pem -in somesite.dk.req -passin pass:changeit

	# Create the server p12 file
	openssl pkcs12 -export -in somesite.dk.pem -inkey private/somesite.dk.key -certfile cacert.pem -passout pass:changeit > somesite.dk.p12

	# Generate a client cert signing request
	openssl req -new -sha512 -nodes -newkey rsa:2048 -days 1096 -keyout private/client.key -out client.req -passout pass:changeit <<-EOCERT
	DK
	.
	Copenhagen
	http://www.somesite.dk/
	Client Certificate
	Jens Lohmann
	jens@somesite.dk
	.
	.
	EOCERT

	# Signs the request
	openssl ca -verbose -md sha512 -config config_file -batch -policy policy_anything -days 1096 -out client.pem -in client.req -passin pass:changeit

	# Create the client p12 file
	openssl pkcs12 -export -in client.pem -inkey private/client.key -certfile cacert.pem -passout pass:changeit > clientcert.p12