blob: f20d7729f730573aa87f576192463077a6f7dbe8 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
#!/bin/sh
# Generate a CA with a self-signed root certificate that then signs the server certificate
# Based on the OpenSSL Cookbook by Ivan Ristic:
# https://www.feistyduck.com/library/openssl-cookbook/online/
#
# Especially, see chapter 1.5. Creating a private Certification Authority:
# https://www.feistyduck.com/library/openssl-cookbook/online/openssl-command-line/private-ca.html
export KEY_PATH=keys
export CRT_PATH=certificates
export CA_PATH=ca
# Create environment.
# $CA_PATH is deleted in the end.
# If new certificates need to be issued, this needs to be done before the cleanup in the end.
mkdir -p $KEY_PATH $CRT_PATH $CA_PATH/db $CA_PATH/private $CA_PATH/certificates
touch $CA_PATH/db/index
openssl rand -hex 16 > $CA_PATH/db/serial
# Generate all private keys
openssl genpkey -algorithm ed25519 -out $KEY_PATH/root-ca.key
openssl genpkey -algorithm ed25519 -out $KEY_PATH/server.key
openssl genpkey -algorithm ed25519 -out $KEY_PATH/client.key
# For the server, we also need the public key
openssl pkey -in $KEY_PATH/server.key -pubout -out $KEY_PATH/server.pub
# Generate a Certificate Signing Request for the Root CA based on a config file
openssl req -new \
-config root-ca.cnf -out root-ca.csr \
-key $KEY_PATH/root-ca.key
# Self-sign the root certificate
openssl ca -batch \
-selfsign -config root-ca.cnf \
-extensions ca_ext \
-in root-ca.csr -out $CRT_PATH/root-ca.crt -notext
# Create a Certificate Signing request for the server certificate
openssl req -new \
-config server.cnf -out server.csr \
-key $KEY_PATH/server.key
openssl req -text -in server.csr -noout
# Issue the server certificate
openssl ca -batch \
-config root-ca.cnf \
-extensions server_ext \
-extfile server.cnf -extensions ext \
-in server.csr -out $CRT_PATH/server.crt -notext \
-days 1825
# Create a Certificate Signing request for the client certificate
openssl req -new \
-config client.cnf -out client.csr \
-key $KEY_PATH/client.key
# Issue the client certificate
openssl ca -batch \
-config root-ca.cnf \
-extensions client_ext \
-in client.csr -out $CRT_PATH/client.crt -notext \
-days 1825
# Clean up
# IMPORTANT: If new certificates should be issued, $CA_PATH and its files MUST NOT be deleted!
# New certificates can be created in this script before cleaning up.
rm -rf *.csr $CA_PATH
|
