Skip to content

Instantly share code, notes, and snippets.

@nordineb

nordineb/intermediate-config.txt

Created July 26, 2019 13:32
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nordineb/0daf5f3ab360c979bd7956cf0dd9ea0d to your computer and use it in GitHub Desktop.
Save nordineb/0daf5f3ab360c979bd7956cf0dd9ea0d to your computer and use it in GitHub Desktop.
Download ZIP
Custom certificate authority with OpenSSL #2
Raw
readme.MD 
mkdir -p root-ca/certreqs
mkdir -p root-ca/certs
mkdir -p root-ca/crl
mkdir -p root-ca/newcerts
mkdir -p root-ca/private
mkdir -p root-ca/private
touch root-ca/private/.rnd
touch root-ca/root-ca.index
echo 00 > root-ca/root-ca.crlnum
openssl rand -hex 16 > root-ca/root-ca.serial
cp root-config.txt root-ca/root-config.txt

mkdir -p intermediate-ca/certreqs
mkdir -p intermediate-ca/certs
mkdir -p intermediate-ca/crl
mkdir -p intermediate-ca/newcerts
mkdir -p intermediate-ca/private
touch intermediate-ca/private/.rnd
touch intermediate-ca/intermediate-ca.index
echo 00 > intermediate-ca/intermediate-ca.crlnum
openssl rand -hex 16 > intermediate-ca/intermediate-ca.serial
cp intermediate-config.txt intermediate-ca/intermediate-config.txt

cd root-ca/

export OPENSSL_CONF=./root-config.txt
openssl req -new -out root-ca.req.pem
openssl ca -selfsign -batch -config root-config.txt -in root-ca.req.pem -out root-ca.cert.pem -extensions root-ca_ext -days 7300 
openssl ca -gencrl -out crl/root-ca.crl
openssl x509 -in ./root-ca.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline
openssl verify -verbose -CAfile root-ca.cert.pem root-ca.cert.pem


cd ../intermediate-ca/
export OPENSSL_CONF=./intermediate-config.txt
openssl req -new -extensions intermediate-ca_ext -config intermediate-config.txt -out intermediate-ca.req.pem -extensions intermediate-ca_ext
openssl ca -gencrl -out crl/intermediate-ca.crl
openssl req  -verify -in intermediate-ca.req.pem -noout -text -reqopt no_version,no_pubkey,no_sigdump -nameopt multiline
cp intermediate-ca.req.pem  ../root-ca/certreqs/

cd ../root-ca/
export OPENSSL_CONF=./root-config.txt
openssl rand -hex 16 > root-ca.serial
openssl ca -batch -in certreqs/intermediate-ca.req.pem -out certs/intermediate-ca.cert.pem -extensions intermediate-ca_ext -days 720
openssl x509 -in certs/intermediate-ca.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline
cp certs/intermediate-ca.cert.pem ../intermediate-ca/

cd ../intermediate-ca/
export OPENSSL_CONF=./intermediate-config.txt
openssl ca -gencrl -out crl/intermediate-ca.crl
Raw
intermediate-config.txt
#
# OpenSSL configuration for the Root Certification Authority.
#
#
# This definition doesn't work if HOME isn't defined.
CA_HOME = .
RANDFILE = $ENV::CA_HOME/private/.rnd
#
# Default Certification Authority
[ ca ]
default_ca = intermediate_ca
#
# Intermediate Certification Authority
[ intermediate-ca ]
dir = $ENV::CA_HOME
certs = $dir/certs
serial = $dir/intermediate-ca.serial
database = $dir/intermediate-ca.index
new_certs_dir = $dir/newcerts
certificate = $dir/intermediate-ca.cert.pem
private_key = $dir/private/intermediate-ca.key.pem
default_days = 730
crl = $dir/intermediate-ca.crl
crl_dir = $dir/crl
crlnumber = $dir/root-ca.crlnum
name_opt = multiline, align
cert_opt = no_pubkey
copy_extensions = copy
crl_extensions = crl_ext
default_crl_days = 30
default_md = sha256
preserve = no
email_in_dn = no
policy = policy
unique_subject = no
[ req ]
prompt = no
default_bits = 4096
default_keyfile = private/intermediate-ca.key.pem
encrypt_key = no
distinguished_name = req_distinguished_name
string_mask = utf8only
req_extensions = intermediate-ca_ext
default_md = sha256
string_mask = utf8only
utf8 = yes
#
# Distinguished Name Policy for CAs
[ policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
#
# CRL Certificate Extensions
[ crl_ext ]
authorityKeyIdentifier = keyid:always
issuerAltName = issuer:copy
[ req_distinguished_name ]
O=CodeTecture
L=
ST=
C=
CN=Intermediate Certification Authority
[ intermediate-ca_ext ]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
#
# CRL Certificate Extensions
[ crl_ext ]
authorityKeyIdentifier = keyid:always
issuerAltName = issuer:copy
#
# Certificate download addresses for the root CA
[ auth_info_access ]
caIssuers;URI = http://ca.codetecture.no/crl/Intermediate_Certification_Authority.cert.pem
#
# CRL Download address for the root CA
[ crl_dist ]
fullname = URI:http://ca.codetecture.no/crl/Intermediate_Certification_Authority.crl
Raw
root-config.txt
#
# OpenSSL configuration for the Root Certification Authority.
#
#
# This definition doesn't work if HOME isn't defined.
CA_HOME = .
RANDFILE = $ENV::CA_HOME/private/.rnd
# Default Certification Authority
[ ca ]
default_ca = root_ca
#
# Root Certification Authority
[ root_ca ]
dir = $ENV::CA_HOME
certs = $dir/certs
serial = $dir/root-ca.serial
database = $dir/root-ca.index
new_certs_dir = $dir/newcerts
certificate = $dir/root-ca.cert.pem
private_key = $dir/private/root-ca.key.pem
default_days = 7300
crl = $dir/root-ca.crl
crl_dir = $dir/crl
crlnumber = $dir/root-ca.crlnum
name_opt = multiline, align
cert_opt = no_pubkey
copy_extensions = copy
crl_extensions = crl_ext
default_crl_days = 180
default_md = sha256
preserve = no
email_in_dn = no
policy = policy
unique_subject = no
#
# Distinguished Name Policy for CAs
[ policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
[ req ]
prompt = no
default_bits = 4096
default_keyfile = private/root-ca.key.pem
encrypt_key = no
distinguished_name = req_distinguished_name
string_mask = utf8only
req_extensions = root-ca_ext
default_md = sha256
string_mask = utf8only
utf8 = yes
[ req_distinguished_name ]
O=test
L=
ST=
C=
CN=Root Certification Authority
#
# Root CA Certificate Extensions
[ root-ca_ext ]
basicConstraints = critical, CA:true, pathlen:1
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
crlDistributionPoints = crl_dist
#
# Intermediate CA Certificate Extensions
[ intermediate-ca_ext ]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
crlDistributionPoints = crl_dist
#
# CRL Certificate Extensions
[ crl_ext ]
authorityKeyIdentifier = keyid:always
issuerAltName = issuer:copy
#
# Certificate download addresses for the root CA
[ auth_info_access ]
caIssuers;URI = http://ca.codetecture.no/crl/Root_Certification_Authority.cert.pem
#
# CRL Download address for the root CA
[ crl_dist ]
fullname = URI:http://ca.codetecture.no/crl/Root_Certification_Authority.crl
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment