ragoragino/openssl.sh

## openssl.sh
#!/bin/bash

set -ex

touch index.txt
touch RANDFILE

# Configuration of CA
cat <<-EOF > ca.cnf
[ ca ]
default_ca = CA_default

[ CA_default ]
dir = .
certs = \$dir
new_certs_dir = \$dir
database = \$dir/index.txt
serial = \$dir/serial
RANDFILE = \$dir/.rnd
unique_subject = no
private_key = \$dir/ca.key.pem
certificate = \$dir/ca.cert.pem

default_crl_days = 30
default_days = 7300
default_md = sha256

policy = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits = 4096
prompt = no
distinguished_name = req_distinguished_name
X509_extensions = v3_ca

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, keyCertSign

[ req_distinguished_name ]
countryName = CZ
stateOrProvinceName = Prague
localityName = Prague
organizationName = Example Corp
organizationalUnitName = Engineering
commonName = Engineering Department - CA Certificate

[ usr_cert ]
# Extensions for client certificates
basicConstraints = CA:FALSE
nsCertType = client
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
EOF

cat ca.cnf > server.cnf
cat <<-EOF >> server.cnf
[ server_cert ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = \$ENV::SUBJECT_ALT_NAME
EOF

# Generate self-signed CA
openssl req -nodes -new -newkey rsa:2048 -keyout ca.key.pem -out ca.req.pem -config ca.cnf
openssl ca -create_serial -batch -extensions v3_ca -out ca.cert.pem -keyfile ca.key.pem -selfsign -config ca.cnf -infiles ca.req.pem

# Generate server certificate
export SUBJECT_ALT_NAME="DNS:example.com"
openssl req -extensions server_cert -nodes -new -newkey rsa:2048 -keyout server.key.pem -out server.csr.pem -config server.cnf \
	-subj "/C=CZ/ST=Prague/L=Prague/O=Example Corp/OU=Engineering/CN=example.com"
openssl ca -batch -config server.cnf -extensions server_cert -days 3760 -notext -in server.csr.pem -out server.cert.pem
unset SUBJECT_ALT_NAME

# Generate intermediate CA and server certificate
rm -rf intermediate && mkdir -p intermediate
(
    cd intermediate
    cp ../ca.cnf ca.cnf && cp ../server.cnf server.cnf
    touch index.txt && touch RANDFILE
    openssl req -nodes -new -newkey rsa:2048 -keyout ca.key.pem -out ca.req.pem -config ca.cnf \
        -subj "/C=CZ/ST=Prague/L=Prague/O=Example Corp/OU=Engineering/CN=Engineering Department - Intermediate CA Certificate"
    (
        cd ..
        openssl ca -batch -extensions v3_intermediate_ca -out intermediate/ca.cert.pem -keyfile ca.key.pem -config ca.cnf -infiles intermediate/ca.req.pem
    )

    export SUBJECT_ALT_NAME="DNS:intermediate.example.com"
    openssl req -extensions server_cert -nodes -new -newkey rsa:2048 -keyout server.key.pem -out server.csr.pem -config server.cnf \
        -subj "/C=CZ/ST=Prague/L=Prague/O=Example Corp/OU=Engineering/CN=Engineering Department - Server B Certificate"
    openssl ca -create_serial -batch -config server.cnf -extensions server_cert -days 3760 -notext -in server.csr.pem -out server.cert.pem
    unset SUBJECT_ALT_NAME
)

# Generate CRL
openssl ca -gencrl -keyfile ca.key.pem -cert ca.cert.pem -out crl.pem -config ca.cnf

# Check CRL
openssl crl -in crl.pem -text

# Verify certificate info
openssl x509 -in server.cert.pem -noout -text

# Verify certificate against CA:
openssl verify -verbose -CAfile ca.cert.pem server.cert.pem

# Verify certificate against CA+CRL:
cat ca.cert.pem crl.pem > crl_chain.pem
openssl verify -crl_check -CAfile crl_chain.pem server.cert.pem

# Verify that private key is consistent and matches a certificate:
openssl rsa -check -noout -in server.key.pem | openssl md5
openssl rsa -modulus -noout -in server.key.pem | openssl md5
openssl x509 -modulus -noout -in server.cert.pem | openssl md5

# Revoke server certificate
openssl ca -revoke server.cert.pem -keyfile ca.key.pem -cert ca.cert.pem -config ca.cnf
openssl ca -gencrl -keyfile ca.key.pem -cert ca.cert.pem -out crl.pem -config ca.cnf

# Verify certificate against new CA+CRL:
cat ca.cert.pem crl.pem > crl_chain.pem
openssl verify -crl_check -CAfile crl_chain.pem server.cert.pem || true

# Start a TLS connection
openssl s_client -connect www.paypal.com:443

# Show all certs presented by the server
echo \n | openssl s_client -showcerts -servername www.paypal.com -connect www.paypal.com:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

# Some more sources:
# https://www.sslshopper.com/article-most-common-openssl-commands.html
# https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html
# https://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/2.1/html/administration_guide/chap-red_hat_update_infrastructure-administration_guide-certification_revocation_list_crl
# https://www.phildev.net/ssl/opensslconf.html
# https://jamielinux.com/docs/openssl-certificate-authority/appendix/root-configuration-file.html
	#!/bin/bash

	set -ex

	touch index.txt
	touch RANDFILE

	# Configuration of CA
	cat <<-EOF > ca.cnf
	[ ca ]
	default_ca = CA_default

	[ CA_default ]
	dir = .
	certs = \$dir
	new_certs_dir = \$dir
	database = \$dir/index.txt
	serial = \$dir/serial
	RANDFILE = \$dir/.rnd
	unique_subject = no
	private_key = \$dir/ca.key.pem
	certificate = \$dir/ca.cert.pem

	default_crl_days = 30
	default_days = 7300
	default_md = sha256

	policy = policy_match

	[ policy_match ]
	countryName = match
	stateOrProvinceName = match
	organizationName = match
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional

	[ req ]
	default_bits = 4096
	prompt = no
	distinguished_name = req_distinguished_name
	X509_extensions = v3_ca

	[ v3_ca ]
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = critical, CA:true
	keyUsage = critical, digitalSignature, cRLSign, keyCertSign

	[ v3_intermediate_ca ]
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = critical, CA:true, pathlen:0
	keyUsage = critical, digitalSignature, keyCertSign

	[ req_distinguished_name ]
	countryName = CZ
	stateOrProvinceName = Prague
	localityName = Prague
	organizationName = Example Corp
	organizationalUnitName = Engineering
	commonName = Engineering Department - CA Certificate

	[ usr_cert ]
	# Extensions for client certificates
	basicConstraints = CA:FALSE
	nsCertType = client
	nsComment = "OpenSSL Generated Client Certificate"
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer
	keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
	extendedKeyUsage = clientAuth, emailProtection
	EOF

	cat ca.cnf > server.cnf
	cat <<-EOF >> server.cnf
	[ server_cert ]
	basicConstraints = CA:FALSE
	nsCertType = server
	nsComment = "OpenSSL Generated Server Certificate"
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer:always
	keyUsage = critical, digitalSignature, keyEncipherment
	extendedKeyUsage = serverAuth
	subjectAltName = \$ENV::SUBJECT_ALT_NAME
	EOF

	# Generate self-signed CA
	openssl req -nodes -new -newkey rsa:2048 -keyout ca.key.pem -out ca.req.pem -config ca.cnf
	openssl ca -create_serial -batch -extensions v3_ca -out ca.cert.pem -keyfile ca.key.pem -selfsign -config ca.cnf -infiles ca.req.pem

	# Generate server certificate
	export SUBJECT_ALT_NAME="DNS:example.com"
	openssl req -extensions server_cert -nodes -new -newkey rsa:2048 -keyout server.key.pem -out server.csr.pem -config server.cnf \
	-subj "/C=CZ/ST=Prague/L=Prague/O=Example Corp/OU=Engineering/CN=example.com"
	openssl ca -batch -config server.cnf -extensions server_cert -days 3760 -notext -in server.csr.pem -out server.cert.pem
	unset SUBJECT_ALT_NAME

	# Generate intermediate CA and server certificate
	rm -rf intermediate && mkdir -p intermediate
	(
	cd intermediate
	cp ../ca.cnf ca.cnf && cp ../server.cnf server.cnf
	touch index.txt && touch RANDFILE
	openssl req -nodes -new -newkey rsa:2048 -keyout ca.key.pem -out ca.req.pem -config ca.cnf \
	-subj "/C=CZ/ST=Prague/L=Prague/O=Example Corp/OU=Engineering/CN=Engineering Department - Intermediate CA Certificate"
	(
	cd ..
	openssl ca -batch -extensions v3_intermediate_ca -out intermediate/ca.cert.pem -keyfile ca.key.pem -config ca.cnf -infiles intermediate/ca.req.pem
	)

	export SUBJECT_ALT_NAME="DNS:intermediate.example.com"
	openssl req -extensions server_cert -nodes -new -newkey rsa:2048 -keyout server.key.pem -out server.csr.pem -config server.cnf \
	-subj "/C=CZ/ST=Prague/L=Prague/O=Example Corp/OU=Engineering/CN=Engineering Department - Server B Certificate"
	openssl ca -create_serial -batch -config server.cnf -extensions server_cert -days 3760 -notext -in server.csr.pem -out server.cert.pem
	unset SUBJECT_ALT_NAME
	)

	# Generate CRL
	openssl ca -gencrl -keyfile ca.key.pem -cert ca.cert.pem -out crl.pem -config ca.cnf

	# Check CRL
	openssl crl -in crl.pem -text

	# Verify certificate info
	openssl x509 -in server.cert.pem -noout -text

	# Verify certificate against CA:
	openssl verify -verbose -CAfile ca.cert.pem server.cert.pem

	# Verify certificate against CA+CRL:
	cat ca.cert.pem crl.pem > crl_chain.pem
	openssl verify -crl_check -CAfile crl_chain.pem server.cert.pem

	# Verify that private key is consistent and matches a certificate:
	openssl rsa -check -noout -in server.key.pem \| openssl md5
	openssl rsa -modulus -noout -in server.key.pem \| openssl md5
	openssl x509 -modulus -noout -in server.cert.pem \| openssl md5

	# Revoke server certificate
	openssl ca -revoke server.cert.pem -keyfile ca.key.pem -cert ca.cert.pem -config ca.cnf
	openssl ca -gencrl -keyfile ca.key.pem -cert ca.cert.pem -out crl.pem -config ca.cnf

	# Verify certificate against new CA+CRL:
	cat ca.cert.pem crl.pem > crl_chain.pem
	openssl verify -crl_check -CAfile crl_chain.pem server.cert.pem \|\| true

	# Start a TLS connection
	openssl s_client -connect www.paypal.com:443

	# Show all certs presented by the server
	echo \n \| openssl s_client -showcerts -servername www.paypal.com -connect www.paypal.com:443 2>/dev/null \| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

	# Some more sources:
	# https://www.sslshopper.com/article-most-common-openssl-commands.html
	# https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html
	# https://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/2.1/html/administration_guide/chap-red_hat_update_infrastructure-administration_guide-certification_revocation_list_crl
	# https://www.phildev.net/ssl/opensslconf.html
	# https://jamielinux.com/docs/openssl-certificate-authority/appendix/root-configuration-file.html