Created
October 29, 2018 18:15
-
-
Save kallisti5/60abdc3843d2582965f983b82707f2dd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
. | |
./CA | |
./CA/index.txt.attr.old | |
./CA/myorg-CA.key | |
./CA/index.txt.old | |
./CA/index.txt | |
./CA/myorg-CA.cnf | |
./CA/myorg-CA.srl | |
./CA/index.txt.attr | |
./CA/myorg-CA.srl.old | |
./CA/myorg-CA.crt | |
./myorg-logs.myorg-.com.crt | |
./myorg-logs.myorg-.com.csr | |
./myorg-beats.crt | |
./myorg-logs.myorg-.com.key | |
./myorg-beats.key.pem | |
./myorg-beats.csr | |
./issued | |
./issued/02.pem | |
./issued/01.pem | |
./myorg-beats.key | |
./newcert |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ ca ] | |
default_ca = CA_default | |
[ CA_default ] | |
serial = serial.txt | |
policy = policy_default | |
dir = /etc/ssl/myorg-ca | |
crlnumber = $dir/CA/crlnumber | |
crl_dir = $dir/CA/crl | |
database = $dir/CA/index.txt | |
serial = $dir/CA/myorg-CA.srl | |
new_certs_dir = $dir/issued | |
certificate = $dir/CA/myorg-CA.crt | |
private_key = $dir/CA/myorg-CA.key | |
RANDFILE = $dir/CA/.rand | |
[ policy_default ] | |
countryName = match | |
stateOrProvinceName = match | |
organizationName = match | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
[ req ] | |
distinguished_name = req_dn | |
x509_extensions = v3_ext | |
[ req_dn ] | |
countryName = Country Name (2 letter code) | |
stateOrProvinceName = State or Province Name | |
localityName = Locality Name | |
0.organizationName = Organization Name | |
organizationalUnitName = Organizational Unit Name | |
countryName_default = US | |
stateOrProvinceName_default = Texas | |
localityName_default = Austin | |
0.organizationName_default = Bobs Widget Factory | |
organizationalUnitName_default = Infrastructure | |
commonName = Common Name (eg, your name or your server\'s hostname) | |
commonName_max = 64 | |
emailAddress = Email Address | |
emailAddress_max = 64 | |
[ v3_ext ] | |
basicConstraints = CA:true | |
[ v3_ca ] | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always,issuer | |
basicConstraints = critical, CA:true | |
keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
[ v3_intermediate_ca ] | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always,issuer | |
basicConstraints = critical, CA:true, pathlen:0 | |
keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
[ usr_cert ] | |
# Extensions for client certificates (`man x509v3_config`). | |
basicConstraints = CA:FALSE | |
nsCertType = client, email | |
nsComment = "OpenSSL Generated Client Certificate" | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid,issuer | |
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment | |
extendedKeyUsage = clientAuth, emailProtection | |
[ server_cert ] | |
# Extensions for server certificates (`man x509v3_config`). | |
basicConstraints = CA:FALSE | |
nsCertType = server | |
nsComment = "OpenSSL Generated Server Certificate" | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid,issuer:always | |
keyUsage = critical, digitalSignature, keyEncipherment | |
extendedKeyUsage = serverAuth |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
if [ $# -ne 2 ]; then | |
echo "Usage: $0 <server|usr> <hostname>" | |
echo "" | |
echo "This tool is used to create a client->server certificate pair" | |
echo "for encrypting client/server communications." | |
echo | |
echo "This should not be used for HTTPS certificates." | |
echo | |
echo "You will need the myorg-CA password from lastpass!" | |
echo | |
exit 1 | |
fi | |
if [ -f $2.crt ]; then | |
echo "WARNING: $2.crt already exists!" | |
exit 1 | |
fi | |
if [ -f $2.key ]; then | |
echo "WARNING: $2.key already exists!" | |
exit 1 | |
fi | |
openssl genrsa -out $2.key 2048 | |
openssl req -new -sha256 -config CA/myorg-CA.cnf -key $2.key -nodes -out $2.csr | |
openssl ca -config CA/myorg-CA.cnf -extensions $1_cert -days 1825 -notext -md sha256 -in $2.csr \ | |
-subj "/C=US/ST=Texas/L=Austin/O=Bobs Widget Factory/OU=Infrastructure/CN=$2" \ | |
-out $2.crt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment