mkdir -p root-ca/certreqs
mkdir -p root-ca/certs
mkdir -p root-ca/crl
mkdir -p root-ca/newcerts
mkdir -p root-ca/private
mkdir -p root-ca/private
touch root-ca/private/.rnd
touch root-ca/root-ca.index
echo 00 > root-ca/root-ca.crlnum
openssl rand -hex 16 > root-ca/root-ca.serial
cp root-config.txt root-ca/root-config.txt
mkdir -p intermediate-ca/certreqs
mkdir -p intermediate-ca/certs
mkdir -p intermediate-ca/crl
mkdir -p intermediate-ca/newcerts
mkdir -p intermediate-ca/private
touch intermediate-ca/private/.rnd
touch intermediate-ca/intermediate-ca.index
echo 00 > intermediate-ca/intermediate-ca.crlnum
openssl rand -hex 16 > intermediate-ca/intermediate-ca.serial
cp intermediate-config.txt intermediate-ca/intermediate-config.txt
cd root-ca/
export OPENSSL_CONF=./root-config.txt
openssl req -new -out root-ca.req.pem
openssl ca -selfsign -batch -config root-config.txt -in root-ca.req.pem -out root-ca.cert.pem -extensions root-ca_ext -days 7300
openssl ca -gencrl -out crl/root-ca.crl
openssl x509 -in ./root-ca.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline
openssl verify -verbose -CAfile root-ca.cert.pem root-ca.cert.pem
cd ../intermediate-ca/
export OPENSSL_CONF=./intermediate-config.txt
openssl req -new -extensions intermediate-ca_ext -config intermediate-config.txt -out intermediate-ca.req.pem -extensions intermediate-ca_ext
openssl ca -gencrl -out crl/intermediate-ca.crl
openssl req -verify -in intermediate-ca.req.pem -noout -text -reqopt no_version,no_pubkey,no_sigdump -nameopt multiline
cp intermediate-ca.req.pem ../root-ca/certreqs/
cd ../root-ca/
export OPENSSL_CONF=./root-config.txt
openssl rand -hex 16 > root-ca.serial
openssl ca -batch -in certreqs/intermediate-ca.req.pem -out certs/intermediate-ca.cert.pem -extensions intermediate-ca_ext -days 720
openssl x509 -in certs/intermediate-ca.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline
cp certs/intermediate-ca.cert.pem ../intermediate-ca/
cd ../intermediate-ca/
export OPENSSL_CONF=./intermediate-config.txt
openssl ca -gencrl -out crl/intermediate-ca.crl
Created
July 26, 2019 13:32
-
-
Save nordineb/0daf5f3ab360c979bd7956cf0dd9ea0d to your computer and use it in GitHub Desktop.
Custom certificate authority with OpenSSL #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# OpenSSL configuration for the Root Certification Authority. | |
# | |
# | |
# This definition doesn't work if HOME isn't defined. | |
CA_HOME = . | |
RANDFILE = $ENV::CA_HOME/private/.rnd | |
# | |
# Default Certification Authority | |
[ ca ] | |
default_ca = intermediate_ca | |
# | |
# Intermediate Certification Authority | |
[ intermediate-ca ] | |
dir = $ENV::CA_HOME | |
certs = $dir/certs | |
serial = $dir/intermediate-ca.serial | |
database = $dir/intermediate-ca.index | |
new_certs_dir = $dir/newcerts | |
certificate = $dir/intermediate-ca.cert.pem | |
private_key = $dir/private/intermediate-ca.key.pem | |
default_days = 730 | |
crl = $dir/intermediate-ca.crl | |
crl_dir = $dir/crl | |
crlnumber = $dir/root-ca.crlnum | |
name_opt = multiline, align | |
cert_opt = no_pubkey | |
copy_extensions = copy | |
crl_extensions = crl_ext | |
default_crl_days = 30 | |
default_md = sha256 | |
preserve = no | |
email_in_dn = no | |
policy = policy | |
unique_subject = no | |
[ req ] | |
prompt = no | |
default_bits = 4096 | |
default_keyfile = private/intermediate-ca.key.pem | |
encrypt_key = no | |
distinguished_name = req_distinguished_name | |
string_mask = utf8only | |
req_extensions = intermediate-ca_ext | |
default_md = sha256 | |
string_mask = utf8only | |
utf8 = yes | |
# | |
# Distinguished Name Policy for CAs | |
[ policy ] | |
countryName = optional | |
stateOrProvinceName = optional | |
localityName = optional | |
organizationName = supplied | |
organizationalUnitName = optional | |
commonName = supplied | |
# | |
# CRL Certificate Extensions | |
[ crl_ext ] | |
authorityKeyIdentifier = keyid:always | |
issuerAltName = issuer:copy | |
[ req_distinguished_name ] | |
O=CodeTecture | |
L= | |
ST= | |
C= | |
CN=Intermediate Certification Authority | |
[ intermediate-ca_ext ] | |
basicConstraints = critical, CA:true, pathlen:0 | |
keyUsage = critical, keyCertSign, cRLSign | |
subjectKeyIdentifier = hash | |
# | |
# CRL Certificate Extensions | |
[ crl_ext ] | |
authorityKeyIdentifier = keyid:always | |
issuerAltName = issuer:copy | |
# | |
# Certificate download addresses for the root CA | |
[ auth_info_access ] | |
caIssuers;URI = http://ca.codetecture.no/crl/Intermediate_Certification_Authority.cert.pem | |
# | |
# CRL Download address for the root CA | |
[ crl_dist ] | |
fullname = URI:http://ca.codetecture.no/crl/Intermediate_Certification_Authority.crl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# OpenSSL configuration for the Root Certification Authority. | |
# | |
# | |
# This definition doesn't work if HOME isn't defined. | |
CA_HOME = . | |
RANDFILE = $ENV::CA_HOME/private/.rnd | |
# Default Certification Authority | |
[ ca ] | |
default_ca = root_ca | |
# | |
# Root Certification Authority | |
[ root_ca ] | |
dir = $ENV::CA_HOME | |
certs = $dir/certs | |
serial = $dir/root-ca.serial | |
database = $dir/root-ca.index | |
new_certs_dir = $dir/newcerts | |
certificate = $dir/root-ca.cert.pem | |
private_key = $dir/private/root-ca.key.pem | |
default_days = 7300 | |
crl = $dir/root-ca.crl | |
crl_dir = $dir/crl | |
crlnumber = $dir/root-ca.crlnum | |
name_opt = multiline, align | |
cert_opt = no_pubkey | |
copy_extensions = copy | |
crl_extensions = crl_ext | |
default_crl_days = 180 | |
default_md = sha256 | |
preserve = no | |
email_in_dn = no | |
policy = policy | |
unique_subject = no | |
# | |
# Distinguished Name Policy for CAs | |
[ policy ] | |
countryName = optional | |
stateOrProvinceName = optional | |
localityName = optional | |
organizationName = supplied | |
organizationalUnitName = optional | |
commonName = supplied | |
[ req ] | |
prompt = no | |
default_bits = 4096 | |
default_keyfile = private/root-ca.key.pem | |
encrypt_key = no | |
distinguished_name = req_distinguished_name | |
string_mask = utf8only | |
req_extensions = root-ca_ext | |
default_md = sha256 | |
string_mask = utf8only | |
utf8 = yes | |
[ req_distinguished_name ] | |
O=test | |
L= | |
ST= | |
C= | |
CN=Root Certification Authority | |
# | |
# Root CA Certificate Extensions | |
[ root-ca_ext ] | |
basicConstraints = critical, CA:true, pathlen:1 | |
keyUsage = critical, keyCertSign, cRLSign | |
subjectKeyIdentifier = hash | |
crlDistributionPoints = crl_dist | |
# | |
# Intermediate CA Certificate Extensions | |
[ intermediate-ca_ext ] | |
basicConstraints = critical, CA:true, pathlen:0 | |
keyUsage = critical, keyCertSign, cRLSign | |
subjectKeyIdentifier = hash | |
crlDistributionPoints = crl_dist | |
# | |
# CRL Certificate Extensions | |
[ crl_ext ] | |
authorityKeyIdentifier = keyid:always | |
issuerAltName = issuer:copy | |
# | |
# Certificate download addresses for the root CA | |
[ auth_info_access ] | |
caIssuers;URI = http://ca.codetecture.no/crl/Root_Certification_Authority.cert.pem | |
# | |
# CRL Download address for the root CA | |
[ crl_dist ] | |
fullname = URI:http://ca.codetecture.no/crl/Root_Certification_Authority.crl | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment