Becoming a certificate authority (CA) in one file

July 15, 2011 at 2:06 pm Leave a comment

I found this blog post very useful when trying to set up a CA : Becoming a certificate authority.

However extended howtos with cut-and-paste code samples, though useful, kind of suck for some use cases. I’ve converted this into a single file bash script which you should be able to download and run to create a sample CA, and sign a sample certificate.

Bear in mind that you probably want to tweak a few things, but this should give you something that works

# Make a key
rm -rf cert_dir
mkdir cert_dir

# First we need keys to prove that we have signed things
openssl genrsa 1025 > cert_dir/private.pem # private key
openssl rsa -in cert_dir/private.pem -pubout -out cert_dir/public.pem

# Then we need a certificate to tell other people that we can 
# issue certificates

#    Write down what we want to appear in this certificate

cat > cert_dir/ca_config <<EOF
[ req ]
#default_bits           = 1024
#default_keyfile        = privkey.pem
distinguished_name     = req_distinguished_name
#attributes             = req_attributes
x509_extensions        = v3_ca
prompt = no

[ req_distinguished_name ]
countryName                    = UK 
localityName                   = London 
organizationalUnitName         = Certs 
commonName                     = 
#emailAddress                   = test@test 

[ v3_ca ]
basicConstraints = CA:true

[ ca ]
default_ca = CA_Default

[ CA_Default ]
email_in_dn             = no
dir                     = .
new_certs_dir           = ./cert_dir
database                = ./cert_dir/issue
certificate             = ./cert_dir/ca_cert
serial                  = ./cert_dir/serial
private_key             = ./cert_dir/private.pem
name_opt                = ca_default
cert_opt                = ca_default
default_crl_days        = 30
default_days            = 365
default_md              = sha1
preserve                = no
policy                  = policy_match

[ policy_match ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

#     Turn this configuration into a certificate
echo creating ca cert
openssl req -config cert_dir/ca_config -key cert_dir/private.pem -new -x509 -extensions v3_ca > cert_dir/ca_cert 

# Some configuration files to remember what we have signed
echo 0001 > cert_dir/serial
touch cert_dir/issue # database
touch cert_dir/issue.attr

# We now are a working certificate authority - yay!

# Now to do some sample signing...

echo signing sample cert

# Reuse out CA key as our server key - 
# in real life this would be different

# A site creates request for something to be signed, they
# must sign this so that only they can claim to be this person

#    Writing down details of certification request
cat > cert_dir/cert_config << EOF
[ req ]
#default_bits           = 1024
#default_keyfile        = privkey.pem
distinguished_name     = req_distinguished_name
#attributes             = req_attributes
prompt = no

[ req_distinguished_name ]
countryName                    = MN 
localityName                   = GoogleVile 
organizationalUnitName         = google 
commonName                     = * 
#emailAddress                   = test@test 

#    Turn this configuration into a binary request
openssl req -new -config cert_dir/cert_config -key cert_dir/private.pem > cert_dir/sample_site.req

# We then sign this certifcate to say that we believe they are who they say they are
openssl ca -batch -config cert_dir/ca_config -in cert_dir/sample_site.req -out cert_dir/sample_site.cert

Entry filed under: Uncategorized. Tags: , , .

Minimal working implementation of a socks 5 proxy Key exchange overview

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

July 2011
« Jun   Sep »

%d bloggers like this: