OpenSSL Client Side Certificate Scripts

add-user.sh

#!/bin/bash

USERNAME=$1
EMAIL=$2

if [[ "$USERNAME" == "" || "$EMAIL" == "" ]]; then
  echo 'Usage: create-user USERNAME EMAIL'
  exit 1
fi

openssl genrsa -out /usr/local/etc/ssl/ca/certs/users/$USERNAME.key 1024

openssl req -new \
  -subj "/C=US/ST=WA/L=Seattle/O=RealSelf, Inc./CN=xc.realself.com/emailAddress=$EMAIL"\
  -key /usr/local/etc/ssl/ca/certs/users/$USERNAME.key \
  -out /usr/local/etc/ssl/ca/certs/users/$USERNAME.csr

openssl x509 -req -days 1095 \
  -in /usr/local/etc/ssl/ca/certs/users/$USERNAME.csr \
  -CA /usr/local/etc/ssl/ca/certs/ca.crt \
  -CAkey /usr/local/etc/ssl/ca/certs/ca.key \
  -CAserial /usr/local/etc/ssl/ca/serial \
  -CAcreateserial \
  -out /usr/local/etc/ssl/ca/certs/users/$USERNAME.crt

openssl pkcs12 -export -clcerts \
  -in /usr/local/etc/ssl/ca/certs/users/$USERNAME.crt \
  -inkey /usr/local/etc/ssl/ca/certs/users/$USERNAME.key \
  -out /usr/local/etc/ssl/ca/certs/users/$USERNAME.p12

create-crl-number.sh

touch /usr/local/etc/ssl/ca/index.txt && echo '01' > /usr/local/etc/ssl/ca/crlnumber

generate-ca-certificates.sh

openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=US/ST=State/L=City/O=Company/CN=site.xyz/emailAddress=xyz@abc.com" -keyout /usr/local/etc/ssl/ca/certs/ca.key -out /usr/local/etc/ssl/ca/certs/ca.crt
openssl ca -config /usr/local/etc/ssl/openssl.cnf -name CA_default -gencrl -keyfile /usr/local/etc/ssl/ca/certs/ca.key -cert /usr/local/etc/ssl/ca/certs/ca.crt -out /usr/local/etc/ssl/ca/certs/ca.crl -crldays 1095

openssl.cnf

[ ca ]
default_ca = CA_default                 # The name of the CA configuration to be used. 
                                        # can be anything that makes sense to you.
[ CA_default ]
dir = /etc/ssl/ca                       # Directory where everything is kept
certs = $dir/certs                      # Directory where the issued certs are kept
crl_dir = $dir/crl                      # Directory where the issued crl are kept
database = $dir/index.txt               # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several certificates with same subject.
new_certs_dir = $dir/certs              # Default directory for new certs.

certificate = $dir/ca.crt               # The CA certificate
serial = $dir/serial                    # The current serial number
crlnumber = $dir/crlnumber              # The current crl number
                                        # must be commented out to leave a V1 CRL
crl = $dir/crl.pem                      # The current CRL
private_key = $dir/private/ca.key       # The private key
RANDFILE    = $dir/private/.rand        # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

name_opt = ca_default                   # Subject Name options
cert_opt = ca_default                   # Certificate field options

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md    = sha1                    # use public key default MD
preserve    = no                        # keep passed DN ordering

policy = policy_match

revoke-user

#!/bin/bash

USERNAME=$1

if [[ "$USERNAME" == "" ]]; then
  echo 'Usage: revoke-user $USERNAME'
  exit 1
fi

openssl ca -name CA_Default \
    -revoke /usr/local/etc/ssl/ca/certs/users/$USERNAME.crt \
    -keyfile /usr/local/etc/ssl/ca/certs/ca.key \
    -cert /usr/local/etc/ssl/ca/certs/ca.crt
    
openssl ca -name CA_Default -gencrl \
    -keyfile /usr/local/etc/ssl/ca/certs/ca.key \
    -cert /usr/local/etc/ssl/ca/certs/ca.crt \
    -out /usr/local/etc/ssl/ca/certs/ca.crl \
    -crldays 1095

setup-folders.sh

mkdir -p /usr/local/etc/ssl/ca/certs/users && \
mkdir /usr/local/etc/ssl/ca/crl