Generate CA And Server Certificate
Generate CA
#!/bin/bash
# variables
purpose=${1:-"example"}
organization=${2:-"Example SOFTWARE TECHNOLOGY CO., LTD."}
days=36500
country=CN
stateOrProvince=ANHUI
commonCA=$organization
mkdir "${purpose}"
pushd "${purpose}"
# prepare configs
cat > "${purpose}-ca.conf" <<END_OF_HEREDOC_MARKER
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = ${country}
ST = ${stateOrProvince}
O = ${organization}
CN = ${commonCA}
END_OF_HEREDOC_MARKER
# generate
## CA
openssl rand -out "${purpose}.pass" -base64 14
openssl genrsa -des3 -out "${purpose}-CA.key" -passout "file:${purpose}.pass" 2048
openssl req -x509 -new -nodes -passin "file:${purpose}.pass" -key "${purpose}-CA.key" -sha256 -days $days -out ${purpose}-CA.pem -config "${purpose}-ca.conf"
# Print
## CA
openssl x509 -text -noout -in "${purpose}-CA.pem"
Generate Intermediate CA
## prepare ca config
cat > "${purpose}-intermediate-ca.conf" <<END_OF_HEREDOC_MARKER
[ req ]
default_bits = 2048
default_md = sha256
req_extensions = req_ext
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = ${country}
ST = ${stateOrProvince}
O = ${organization}
CN = ${common}
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = ${common}
[ v3_ext ]
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
END_OF_HEREDOC_MARKER
cat > "${purpose}-intermediate-ca.ext" <<END_OF_HEREDOC_MARKER
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
subjectAltName=@alt_names
[ alt_names ]
DNS.1 = ${common}
END_OF_HEREDOC_MARKER
openssl genrsa -out ${purpose}-intermediate-ca.key 2048
echo generate csr
openssl req -config ${purpose}-intermediate-ca.conf -key ${purpose}-intermediate-ca.key -new -sha256 -out ${purpose}-intermediate-ca.csr
if ! [ -e demoCA ];then
mkdir -p demoCA/{certs,crl,newcerts,private,csr}
echo 1000 > demoCA/serial
echo 0100 > demoCA/crlnumber
touch demoCA/index.txt
fi
echo generate intermediate-ca
openssl ca -days 36500 -notext -md sha256 -in ${purpose}-intermediate-ca.csr -out ${purpose}-intermediate-ca.cert -extfile ${purpose}-intermediate-ca.ext -cert ${ca}-CA.pem -keyfile ${ca}-CA.key -passin file:${ca}.pass
Generate csr
#!/bin/bash
# variables
ca=${1:-"example"}
purpose=${2:-"example.com"}
days=36500
country=CN
stateOrProvince=ANHUI
locality=HEFEI
organization=${3:-"Example SOFTWARE TECHNOLOGY CO., LTD."}
common="*.${purpose}"
# prepare configs
cat > "${purpose}.req" <<END_OF_HEREDOC_MARKER
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = ${country}
ST = ${stateOrProvince}
L = ${locality}
O = ${organization}
CN = ${common}
END_OF_HEREDOC_MARKER
# generate
## CSR
openssl genrsa -out "${purpose}.key" 2048
openssl req -new -key "${purpose}.key" -out "${purpose}.csr" -config "${purpose}.req"
# Print
## CSR
openssl req -in "${purpose}.csr" -text -noout -verify
Generate Server Certificate from CA
#!/bin/bash
# variables
ca=${1:-"example"}
purpose=${2:-"example.com"}
days=36500
keyUsage="digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment"
extendedKeyUsage=serverAuth
# prepare configs
cat > "${purpose}.ext" <<END_OF_HEREDOC_MARKER
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = ${keyUsage}
extendedKeyUsage = ${extendedKeyUsage}
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${purpose}
DNS.2 = *.${purpose}
END_OF_HEREDOC_MARKER
# generate
## CER
openssl x509 -req -in "${purpose}.csr" -passin "file:${ca}.pass" -CA "${ca}-CA.pem" -CAkey "${ca}-CA.key" -CAcreateserial -out "${purpose}.crt" -days $days -sha256 -extfile "${purpose}.ext"
# Print
## CER
openssl x509 -in "${purpose}.crt" -text -noout -verify -dates -purpose
Generate Server Certificate from Intermediate CA
#!/bin/bash
# variables
ca=example-intermediate-ca.cert
purpose=${1:-"example.com"}
days=36500
keyUsage="digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment"
extendedKeyUsage=serverAuth
# prepare configs
cat > "${purpose}.ext" <<END_OF_HEREDOC_MARKER
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = ${keyUsage}
extendedKeyUsage = ${extendedKeyUsage}
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${purpose}
DNS.2 = *.${purpose}
END_OF_HEREDOC_MARKER
# generate
## CER
openssl x509 -req -in "${purpose}.csr" -CA "${ca}.cert" -CAkey "${ca}.key" -CAcreateserial -out "${purpose}.cert" -days $days -sha256 -extfile "${purpose}.ext"
cat ${purpose}.cert ${ca}.cert > ${purpose}.crt
# Print
## CER
openssl x509 -in "${purpose}.crt" -text -noout -verify -dates -purpose
import ca
powershell for windows
$filePath='c:\certs\example-CA.pem'
$location='Cert:\LocalMachine\Root'
Import-Certificate -FilePath $filePath -CertStoreLocation $location
ubuntu
openssl x509 -in example-CA.pem -inform PEM -out example-CA.crt
sudo mkdir /usr/local/share/ca-certificates/extra
sudo cp example-CA.crt /usr/local/share/ca-certificates/extra/
sudo update-ca-certificates
Use an intermediate certificate
cat domain.crt intermediate-certificates.pem > certs/domain.crt