kallisti5/myorg-CA.cnf

## gistfile1.txt
.
./CA
./CA/index.txt.attr.old
./CA/myorg-CA.key
./CA/index.txt.old
./CA/index.txt
./CA/myorg-CA.cnf
./CA/myorg-CA.srl
./CA/index.txt.attr
./CA/myorg-CA.srl.old
./CA/myorg-CA.crt
./myorg-logs.myorg-.com.crt
./myorg-logs.myorg-.com.csr
./myorg-beats.crt
./myorg-logs.myorg-.com.key
./myorg-beats.key.pem
./myorg-beats.csr
./issued
./issued/02.pem
./issued/01.pem
./myorg-beats.key
./newcert

## myorg-CA.cnf
[ ca ]
default_ca      = CA_default

[ CA_default ]
serial          = serial.txt
policy          = policy_default
dir             = /etc/ssl/myorg-ca
crlnumber       = $dir/CA/crlnumber
crl_dir         = $dir/CA/crl
database        = $dir/CA/index.txt
serial          = $dir/CA/myorg-CA.srl
new_certs_dir   = $dir/issued
certificate     = $dir/CA/myorg-CA.crt
private_key     = $dir/CA/myorg-CA.key
RANDFILE        = $dir/CA/.rand

[ policy_default ]
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

[ req ]
distinguished_name = req_dn
x509_extensions = v3_ext

[ req_dn ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name

countryName_default = US
stateOrProvinceName_default = Texas
localityName_default = Austin
0.organizationName_default  = Bobs Widget Factory
organizationalUnitName_default = Infrastructure

commonName          = Common Name (eg, your name or your server\'s hostname)
commonName_max          = 64
emailAddress            = Email Address
emailAddress_max        = 64

[ v3_ext ]
basicConstraints = CA:true

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

## newcert

#!/bin/bash

if [ $# -ne 2 ]; then
	echo "Usage: $0 <server|usr> <hostname>"
	echo ""
	echo "This tool is used to create a client->server certificate pair"
	echo "for encrypting client/server communications."
	echo
	echo "This should not be used for HTTPS certificates."
	echo
	echo "You will need the myorg-CA password from lastpass!"
	echo
	exit 1
fi

if [ -f $2.crt ]; then
	echo "WARNING: $2.crt already exists!"
	exit 1
fi

if [ -f $2.key ]; then
	echo "WARNING: $2.key already exists!"
	exit 1
fi

openssl genrsa -out $2.key 2048
openssl req -new -sha256 -config CA/myorg-CA.cnf -key $2.key -nodes -out $2.csr
openssl ca -config CA/myorg-CA.cnf -extensions $1_cert -days 1825 -notext -md sha256 -in $2.csr \
	-subj "/C=US/ST=Texas/L=Austin/O=Bobs Widget Factory/OU=Infrastructure/CN=$2" \
	-out $2.crt
	.
	./CA
	./CA/index.txt.attr.old
	./CA/myorg-CA.key
	./CA/index.txt.old
	./CA/index.txt
	./CA/myorg-CA.cnf
	./CA/myorg-CA.srl
	./CA/index.txt.attr
	./CA/myorg-CA.srl.old
	./CA/myorg-CA.crt
	./myorg-logs.myorg-.com.crt
	./myorg-logs.myorg-.com.csr
	./myorg-beats.crt
	./myorg-logs.myorg-.com.key
	./myorg-beats.key.pem
	./myorg-beats.csr
	./issued
	./issued/02.pem
	./issued/01.pem
	./myorg-beats.key
	./newcert
	[ ca ]
	default_ca = CA_default

	[ CA_default ]
	serial = serial.txt
	policy = policy_default
	dir = /etc/ssl/myorg-ca
	crlnumber = $dir/CA/crlnumber
	crl_dir = $dir/CA/crl
	database = $dir/CA/index.txt
	serial = $dir/CA/myorg-CA.srl
	new_certs_dir = $dir/issued
	certificate = $dir/CA/myorg-CA.crt
	private_key = $dir/CA/myorg-CA.key
	RANDFILE = $dir/CA/.rand

	[ policy_default ]
	countryName = match
	stateOrProvinceName = match
	organizationName = match
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional

	[ req ]
	distinguished_name = req_dn
	x509_extensions = v3_ext

	[ req_dn ]
	countryName = Country Name (2 letter code)
	stateOrProvinceName = State or Province Name
	localityName = Locality Name
	0.organizationName = Organization Name
	organizationalUnitName = Organizational Unit Name

	countryName_default = US
	stateOrProvinceName_default = Texas
	localityName_default = Austin
	0.organizationName_default = Bobs Widget Factory
	organizationalUnitName_default = Infrastructure

	commonName = Common Name (eg, your name or your server\'s hostname)
	commonName_max = 64
	emailAddress = Email Address
	emailAddress_max = 64

	[ v3_ext ]
	basicConstraints = CA:true

	[ v3_ca ]
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = critical, CA:true
	keyUsage = critical, digitalSignature, cRLSign, keyCertSign

	[ v3_intermediate_ca ]
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = critical, CA:true, pathlen:0
	keyUsage = critical, digitalSignature, cRLSign, keyCertSign

	[ usr_cert ]
	# Extensions for client certificates (`man x509v3_config`).
	basicConstraints = CA:FALSE
	nsCertType = client, email
	nsComment = "OpenSSL Generated Client Certificate"
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer
	keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
	extendedKeyUsage = clientAuth, emailProtection

	[ server_cert ]
	# Extensions for server certificates (`man x509v3_config`).
	basicConstraints = CA:FALSE
	nsCertType = server
	nsComment = "OpenSSL Generated Server Certificate"
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer:always
	keyUsage = critical, digitalSignature, keyEncipherment
	extendedKeyUsage = serverAuth

	#!/bin/bash

	if [ $# -ne 2 ]; then
	echo "Usage: $0 <server\|usr> <hostname>"
	echo ""
	echo "This tool is used to create a client->server certificate pair"
	echo "for encrypting client/server communications."
	echo
	echo "This should not be used for HTTPS certificates."
	echo
	echo "You will need the myorg-CA password from lastpass!"
	echo
	exit 1
	fi

	if [ -f $2.crt ]; then
	echo "WARNING: $2.crt already exists!"
	exit 1
	fi

	if [ -f $2.key ]; then
	echo "WARNING: $2.key already exists!"
	exit 1
	fi

	openssl genrsa -out $2.key 2048
	openssl req -new -sha256 -config CA/myorg-CA.cnf -key $2.key -nodes -out $2.csr
	openssl ca -config CA/myorg-CA.cnf -extensions $1_cert -days 1825 -notext -md sha256 -in $2.csr \
	-subj "/C=US/ST=Texas/L=Austin/O=Bobs Widget Factory/OU=Infrastructure/CN=$2" \
	-out $2.crt