From b6df360b9eacbb758c30cda76a45368ad9012e83 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 1 Jun 2011 18:36:49 +0000 Subject: [PATCH] Simple automated certificate creation demo. --- demos/certs/README | 9 +++++++ demos/certs/ca.cnf | 57 ++++++++++++++++++++++++++++++++++++++++++ demos/certs/mkcerts.sh | 25 ++++++++++++++++++ 3 files changed, 91 insertions(+) create mode 100644 demos/certs/README create mode 100644 demos/certs/ca.cnf create mode 100644 demos/certs/mkcerts.sh diff --git a/demos/certs/README b/demos/certs/README new file mode 100644 index 000000000..d022d0afc --- /dev/null +++ b/demos/certs/README @@ -0,0 +1,9 @@ +There is often a need to generate test certificates automatically using +a script. This is often a cause for confusion which can result in incorrect +CA certificates, obsolete V1 certificates or duplicate serial numbers. +The range of command line options can be daunting for a beginner. + +This is a simple example of how to generate certificates automatically +using scripts. Example creates a root CA, a server certificate signed by +the root, an intermediate CA signed by the root and finally a client +certificate signed by the intermediate CA. diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf new file mode 100644 index 000000000..195b23652 --- /dev/null +++ b/demos/certs/ca.cnf @@ -0,0 +1,57 @@ +# +# OpenSSL example configuration file for automated certificate creation. +# + +# This definition stops the following lines choking if HOME or CN +# is undefined. +HOME = . +RANDFILE = $ENV::HOME/.rnd +CN = "Not Defined" + +#################################################################### +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +# Don't prompt for fields: use those in section directly +prompt = no +distinguished_name = req_distinguished_name +x509_extensions = v3_ca # The extentions to add to the self signed cert +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = UK + +organizationName = OpenSSL Group +# Take CN from environment so it can come from a script. +commonName = $ENV::CN + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request for an end entity +# certificate + +basicConstraints=critical, CA:FALSE +keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid + +[ v3_ca ] + + +# Extensions for a typical CA + +# PKIX recommendation. + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always +basicConstraints = critical,CA:true +keyUsage = critical, cRLSign, keyCertSign + + diff --git a/demos/certs/mkcerts.sh b/demos/certs/mkcerts.sh new file mode 100644 index 000000000..81e7dc5de --- /dev/null +++ b/demos/certs/mkcerts.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +OPENSSL=openssl + +# Root CA: create certificate directly +CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \ + -keyout root.pem -out root.pem -newkey rsa:2048 -days 3650 +# Server certificate: create request first +CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \ + -keyout skey.pem -out req.pem -newkey rsa:1024 +# Sign request: end entity extensions +$OPENSSL x509 -req -in req.pem -CA root.pem -days 3600 \ + -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem +# Intermediate CA: request first +CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \ + -keyout intkey.pem -out intreq.pem -newkey rsa:2048 +# Sign request: CA extensions +$OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \ + -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem +# Client certificate: request first +CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \ + -keyout ckey.pem -out creq.pem -newkey rsa:1024 +# Sign using intermediate CA +$OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ + -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem