-
Notifications
You must be signed in to change notification settings - Fork 1
/
create-ca.sh
executable file
·135 lines (111 loc) · 4.05 KB
/
create-ca.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
#!/bin/bash
if [ $# -ne 0 ]; then
echo "Usage: ./createCA.sh"
exit 1
fi
mkdir ca
cd ca
mkdir -pv {cert,private,db,crl}
chmod 700 private
export ca="root-ca"
mkdir -pv $ca
cat <<HEREDOC > openssl.cnf
[default]
ca = $ca
dir = .
base_url = http://example.com # CA base URL
aia_url = \$base_url/\$ca.cer # CA certificate URL
crl_url = \$base_url/\$ca.crl # CRL distribution point
name_opt = multiline,-esc_msb,utf8 # Display UTF-8 characters
[ ca ]
default_ca = root_ca # The default CA section
[ root_ca ]
certificate = \$dir/cert/\$ca.pem # The CA cert
private_key = \$dir/private/\$ca.key # CA private key
new_certs_dir = \$dir/\$ca # Certificate archive
serial = \$dir/db/\$ca.serial # Serial number file
crlnumber = \$dir/db/\$ca.crlnumber # CRL number file
database = \$dir/db/index.txt # Index file
unique_subject = no # Require unique subject
default_days = 3652 # How long to certify for
default_md = sha1 # MD to use
policy = match_pol # Default naming policy
email_in_dn = no # Add email to cert DN
preserve = no # Keep passed DN ordering
name_opt = \$name_opt # Subject DN display options
cert_opt = ca_default # Certificate display options
copy_extensions = none # Copy extensions from CSR
default_crl_days = 30 # How long before next CRL
crl_extensions = crl_ext # CRL extensions
crl = \$dir/crl/crl.pem # The current CRL
[match_pol]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ crl_ext ]
authorityKeyIdentifier = keyid:always
authorityInfoAccess = @issuer_info
[ issuer_info ]
caIssuers;URI.0 = \$aia_url
[ crl_info ]
URI.0 = \$crl_url
HEREDOC
read -p "Country [CN]>" COUNTRY
export COUNTRY=${COUNTRY:-"CN"}
read -p "Org [Example Ltd]>" ORG
export ORG=${ORG:-"Example Ltd"}
read -p "CN>" CN
export CN=${CN:-"Example Root CA"}
cat <<HEREDOC >> openssl.cnf
[req]
default_bits = 4096
encrypt_key = no
default_md = sha256
utf8 = yes
string_mask = utf8only
distinguished_name = ca_dn
req_extensions = ca_ext
x509_extensions = v3_ca # The extensions to add to the self signed cert
[ v3_ca ]
# Extensions for a typical CA
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
[ca_dn]
countryName = "C"
countryName_default = $COUNTRY
organizationName = "O"
organizationName_default = $ORG
commonName = "CN"
commonName_default = $CN
[ca_ext]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
HEREDOC
echo "Here's the settings:"
cat openssl.cnf
read -p "Is this OK [y/n]?" OK
if [[ $OK =~ ^[Yy]$ ]]; then
echo 1000 >> db/$ca.serial
echo 1000 >> db/$ca.crlnumber
touch db/index.txt
touch db/index.txt.attr
openssl genrsa -out private/$ca.key 4096
chmod 400 private/$ca.key
# Check the new private key is ok (as with any key)
openssl rsa -in private/$ca.key -check
openssl req -new -x509 -days 3650 -key private/$ca.key -out cert/$ca.pem -config openssl.cnf -batch
# Create a template CRL file
openssl ca -keyfile private/$ca.key -cert cert/$ca.pem -gencrl -out crl/crl.pem -config openssl.cnf
# Test the CRL is ok
openssl crl -in crl/crl.pem -text
tar czf ../$ca.tgz cert/$ca.pem
echo "Root Certificate is stored into $ca.tgz"
else
echo "Aborting"
fi