Last active
September 21, 2016 21:34
-
-
Save jlyonsmith/ee2cc418825855c5fd77ea5336e3987a to your computer and use it in GitHub Desktop.
OpenSSL Client Side Certificate Scripts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
USERNAME=$1 | |
EMAIL=$2 | |
if [[ "$USERNAME" == "" || "$EMAIL" == "" ]]; then | |
echo 'Usage: create-user USERNAME EMAIL' | |
exit 1 | |
fi | |
openssl genrsa -out /usr/local/etc/ssl/ca/certs/users/$USERNAME.key 1024 | |
openssl req -new \ | |
-subj "/C=US/ST=WA/L=Seattle/O=RealSelf, Inc./CN=xc.realself.com/emailAddress=$EMAIL"\ | |
-key /usr/local/etc/ssl/ca/certs/users/$USERNAME.key \ | |
-out /usr/local/etc/ssl/ca/certs/users/$USERNAME.csr | |
openssl x509 -req -days 1095 \ | |
-in /usr/local/etc/ssl/ca/certs/users/$USERNAME.csr \ | |
-CA /usr/local/etc/ssl/ca/certs/ca.crt \ | |
-CAkey /usr/local/etc/ssl/ca/certs/ca.key \ | |
-CAserial /usr/local/etc/ssl/ca/serial \ | |
-CAcreateserial \ | |
-out /usr/local/etc/ssl/ca/certs/users/$USERNAME.crt | |
openssl pkcs12 -export -clcerts \ | |
-in /usr/local/etc/ssl/ca/certs/users/$USERNAME.crt \ | |
-inkey /usr/local/etc/ssl/ca/certs/users/$USERNAME.key \ | |
-out /usr/local/etc/ssl/ca/certs/users/$USERNAME.p12 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
touch /usr/local/etc/ssl/ca/index.txt && echo '01' > /usr/local/etc/ssl/ca/crlnumber |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=US/ST=State/L=City/O=Company/CN=site.xyz/emailAddress=xyz@abc.com" -keyout /usr/local/etc/ssl/ca/certs/ca.key -out /usr/local/etc/ssl/ca/certs/ca.crt | |
openssl ca -config /usr/local/etc/ssl/openssl.cnf -name CA_default -gencrl -keyfile /usr/local/etc/ssl/ca/certs/ca.key -cert /usr/local/etc/ssl/ca/certs/ca.crt -out /usr/local/etc/ssl/ca/certs/ca.crl -crldays 1095 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ ca ] | |
default_ca = CA_default # The name of the CA configuration to be used. | |
# can be anything that makes sense to you. | |
[ CA_default ] | |
dir = /etc/ssl/ca # Directory where everything is kept | |
certs = $dir/certs # Directory where the issued certs are kept | |
crl_dir = $dir/crl # Directory where the issued crl are kept | |
database = $dir/index.txt # database index file. | |
#unique_subject = no # Set to 'no' to allow creation of | |
# several certificates with same subject. | |
new_certs_dir = $dir/certs # Default directory for new certs. | |
certificate = $dir/ca.crt # The CA certificate | |
serial = $dir/serial # The current serial number | |
crlnumber = $dir/crlnumber # The current crl number | |
# must be commented out to leave a V1 CRL | |
crl = $dir/crl.pem # The current CRL | |
private_key = $dir/private/ca.key # The private key | |
RANDFILE = $dir/private/.rand # private random number file | |
x509_extensions = usr_cert # The extentions to add to the cert | |
name_opt = ca_default # Subject Name options | |
cert_opt = ca_default # Certificate field options | |
default_days = 365 # how long to certify for | |
default_crl_days= 30 # how long before next CRL | |
default_md = sha1 # use public key default MD | |
preserve = no # keep passed DN ordering | |
policy = policy_match |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
USERNAME=$1 | |
if [[ "$USERNAME" == "" ]]; then | |
echo 'Usage: revoke-user $USERNAME' | |
exit 1 | |
fi | |
openssl ca -name CA_Default \ | |
-revoke /usr/local/etc/ssl/ca/certs/users/$USERNAME.crt \ | |
-keyfile /usr/local/etc/ssl/ca/certs/ca.key \ | |
-cert /usr/local/etc/ssl/ca/certs/ca.crt | |
openssl ca -name CA_Default -gencrl \ | |
-keyfile /usr/local/etc/ssl/ca/certs/ca.key \ | |
-cert /usr/local/etc/ssl/ca/certs/ca.crt \ | |
-out /usr/local/etc/ssl/ca/certs/ca.crl \ | |
-crldays 1095 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mkdir -p /usr/local/etc/ssl/ca/certs/users && \ | |
mkdir /usr/local/etc/ssl/ca/crl |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment