Create a root CA cert, an intermediate CA cert, and a server cert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Copy the 4 scripts to /home/<user> | |
| From /home/<user>: | |
| ./setup_rootca.sh | |
| ./setup_blacklakeca.sh | |
| ipaddr=$(ip route get 8.8.8.8 | awk '{print $7}') | |
| SUBJ_IP=$ipaddr ./stratus_server_cert.sh | |
| This will: | |
| 1. Setup the self signed root CA | |
| 2. Setup the blacklake intermediate CA | |
| 3. Create the stratus server cert | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # OpenSSL configuration file. | |
| # | |
| HOME = . | |
| dir = $HOME/CA/intermediate | |
| #################################################################### | |
| [ ca ] | |
| default_ca = CA_default | |
| [ CA_default ] | |
| certificate = $dir/certs/blacklakeca.cert.pem | |
| private_key = $dir/private/blacklakeca.key.pem | |
| certs = $dir/certs | |
| new_certs_dir = $dir/newcerts | |
| database = $dir/index.txt | |
| serial = $dir/serial | |
| RANDFILE = $dir/private/.rand | |
| crl_dir = $dir/crl | |
| crlnumber = $dir/crlnumber | |
| crl = $crl_dir/blacklakeca.crl.pem | |
| crl_extensions = crl_ext | |
| default_crl_days = 30 | |
| default_md = sha512 | |
| nameopt = ca_default | |
| certopt = ca_default | |
| default_days = 1095 | |
| preserve = no | |
| policy = policy_loose | |
| email_in_dn = yes | |
| unique_subject = no | |
| [ policy_loose ] | |
| countryName = optional | |
| stateOrProvinceName = optional | |
| localityName = optional | |
| organizationName = optional | |
| organizationalUnitName = optional | |
| commonName = supplied | |
| emailAddress = optional | |
| #################################################################### | |
| [ req ] | |
| default_bits = 4096 | |
| default_md = sha512 | |
| distinguished_name = req_distinguished_name | |
| string_mask = utf8only | |
| attributes = req_attributes | |
| x509_extensions = v3_intermediate_ca | |
| [ req_distinguished_name ] | |
| countryName = Country Name (2 letter code) | |
| countryName_min = 2 | |
| countryName_max = 2 | |
| stateOrProvinceName = State or Province Name (full name) | |
| localityName = Locality Name (city, district) | |
| 0.organizationName = Organization Name (company) | |
| organizationalUnitName = Organizational Unit Name (department, division) | |
| commonName = Common Name (hostname, IP, or your name) | |
| commonName_max = 64 | |
| emailAddress = Email Address | |
| emailAddress_max = 64 | |
| [ req_attributes ] | |
| [ v3_intermediate_ca ] | |
| basicConstraints = critical, CA:TRUE, pathlen:0 | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid:always | |
| keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
| subjectAltName = email:move | |
| [ crl_ext ] | |
| authorityKeyIdentifier = keyid:always | |
| [ ocsp ] | |
| basicConstraints = CA:FALSE | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid | |
| keyUsage = critical, digitalSignature | |
| extendedKeyUsage = critical, OCSPSigning |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Run: ./prep_ca_dirs.sh | |
| # will run in user's home dir | |
| cd /home/$(whoami) | |
| printf "========= Prep CA dirs ==========\n" | |
| # Prepare root CA directories in dir CA | |
| mkdir -p CA && cd CA | |
| mkdir -p certs newcerts csr crl private | |
| chmod 700 private | |
| touch index.txt | |
| if [[ ! -e 'serial' ]]; then | |
| echo '1000' > serial | |
| fi | |
| if [[ ! -e 'crlnumber' ]]; then | |
| echo '1000' > crlnumber | |
| fi | |
| # Prepare intermediate CA directories in dir CA/intermediate | |
| mkdir -p intermediate && cd intermediate | |
| mkdir -p certs newcerts crl csr private | |
| chmod 700 private | |
| touch index.txt | |
| if [[ ! -e 'serial' ]]; then | |
| echo '1000' > serial | |
| fi | |
| if [[ ! -e 'crlnumber' ]]; then | |
| echo '1000' > crlnumber | |
| fi | |
| cd /home/$(whoami) | |
| printf "========= Place CA scripts ==========\n" | |
| SRC='/vagrant/client_files' | |
| cp $SRC/openssl/setup_rootca.sh setup_rootca.sh | |
| cp $SRC/openssl/setup_blacklakeca.sh setup_blacklakeca.sh | |
| cp $SRC/openssl/stratus_server_cert.sh stratus_server_cert.sh | |
| chmod +x *.sh |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # OpenSSL configuration file. | |
| # | |
| HOME = . | |
| dir = $HOME/CA | |
| #################################################################### | |
| [ ca ] | |
| default_ca = CA_default | |
| [ CA_default ] | |
| certificate = $dir/certs/rootca.cert.pem | |
| private_key = $dir/private/rootca.key.pem | |
| certs = $dir/certs | |
| new_certs_dir = $dir/newcerts | |
| database = $dir/index.txt | |
| serial = $dir/serial | |
| RANDFILE = $dir/private/.rand | |
| crl_dir = $dir/crl | |
| crlnumber = $dir/crlnumber | |
| crl = $crl_dir/rootca.crl.pem | |
| crl_extensions = crl_ext | |
| default_crl_days = 30 | |
| default_md = sha512 | |
| nameopt = ca_default | |
| certopt = ca_default | |
| default_days = 3650 | |
| preserve = no | |
| policy = policy_strict | |
| email_in_dn = yes | |
| unique_subject = no | |
| [ policy_strict ] | |
| countryName = match | |
| stateOrProvinceName = match | |
| organizationName = match | |
| organizationalUnitName = optional | |
| commonName = supplied | |
| emailAddress = optional | |
| #################################################################### | |
| [ req ] | |
| default_bits = 4096 | |
| default_md = sha512 | |
| distinguished_name = req_distinguished_name | |
| string_mask = utf8only | |
| attributes = req_attributes | |
| x509_extensions = v3_ca | |
| [ req_distinguished_name ] | |
| countryName = Country Name (2 letter code) | |
| countryName_min = 2 | |
| countryName_max = 2 | |
| stateOrProvinceName = State or Province Name (full name) | |
| localityName = Locality Name (city, district) | |
| 0.organizationName = Organization Name (company) | |
| organizationalUnitName = Organizational Unit Name (department, division) | |
| commonName = Common Name (hostname, IP, or your name) | |
| commonName_max = 64 | |
| emailAddress = Email Address | |
| emailAddress_max = 64 | |
| [ req_attributes ] | |
| [ v3_ca ] | |
| basicConstraints = critical, CA:TRUE | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid:always | |
| keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
| subjectAltName = email:move | |
| [ crl_ext ] | |
| authorityKeyIdentifier = keyid:always | |
| [ ocsp ] | |
| basicConstraints = CA:FALSE | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid | |
| keyUsage = critical, digitalSignature | |
| extendedKeyUsage = critical, OCSPSigning |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # OpenSSL configuration file. | |
| # | |
| HOME = . | |
| dir = $HOME/CA/intermediate | |
| #################################################################### | |
| [ ca ] | |
| default_ca = CA_default | |
| [ CA_default ] | |
| certificate = $dir/certs/blacklakeca.cert.pem | |
| private_key = $dir/private/blacklakeca.key.pem | |
| certs = $dir/certs | |
| new_certs_dir = $dir/newcerts | |
| database = $dir/index.txt | |
| serial = $dir/serial | |
| RANDFILE = $dir/private/.rand | |
| crl_dir = $dir/crl | |
| crlnumber = $dir/crlnumber | |
| crl = $crl_dir/blacklakeca.crl | |
| crl_extensions = crl_ext | |
| default_crl_days = 30 | |
| default_md = sha512 | |
| nameopt = ca_default | |
| certopt = ca_default | |
| default_days = 365 | |
| preserve = no | |
| policy = policy_loose | |
| email_in_dn = no | |
| unique_subject = no | |
| [ policy_loose ] | |
| countryName = optional | |
| stateOrProvinceName = optional | |
| localityName = optional | |
| organizationName = optional | |
| organizationalUnitName = optional | |
| commonName = supplied | |
| emailAddress = optional | |
| #################################################################### | |
| [ req ] | |
| default_bits = 4096 | |
| default_md = sha512 | |
| distinguished_name = req_distinguished_name | |
| string_mask = utf8only | |
| attributes = req_attributes | |
| x509_extensions = server_cert | |
| [ req_distinguished_name ] | |
| countryName = Country Name (2 letter code) | |
| countryName_min = 2 | |
| countryName_max = 2 | |
| stateOrProvinceName = State or Province Name (full name) | |
| localityName = Locality Name (city, district) | |
| 0.organizationName = Organization Name (company) | |
| organizationalUnitName = Organizational Unit Name (department, division) | |
| commonName = Common Name (hostname, IP, or your name) | |
| commonName_max = 64 | |
| emailAddress = Email Address | |
| emailAddress_max = 64 | |
| [ req_attributes ] | |
| [ server_cert ] | |
| basicConstraints = CA:FALSE | |
| nsCertType = server | |
| nsComment = "OpenSSL Generated Server Certificate" | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid | |
| keyUsage = critical, digitalSignature, keyEncipherment | |
| extendedKeyUsage = serverAuth | |
| subjectAltName = @alt_names | |
| [alt_names] | |
| DNS.1 = stratus.attlocal.net | |
| DNS.2 = stratus | |
| IP.1 = ${ENV::SUBJ_IP} | |
| [ crl_ext ] | |
| authorityKeyIdentifier = keyid:always | |
| [ ocsp ] | |
| basicConstraints = CA:FALSE | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid | |
| keyUsage = critical, digitalSignature | |
| extendedKeyUsage = critical, OCSPSigning |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Run: ./setup_blacklakeca.sh | |
| # will run in user's home dir | |
| cd /home/$(whoami) | |
| casubj='/C=US/ST=Texas/L=Arlington/O=BlackLakeSoftware/OU=CertMan/CN=blacklakeca/[email protected]' | |
| SRC='/vagrant/client_files' | |
| CAint='CA/intermediate' | |
| # Install configuration file | |
| cp $SRC'/openssl/CA/blacklakeca.cnf' $CAint'/blacklakeca.cnf' | |
| chmod 644 $CAint'/blacklakeca.cnf' | |
| # Build the intermediate CA certificate | |
| printf "\n========= Build intermediate CA with blacklakeca.cnf ==========\n" | |
| # Generate intermediate CA csr | |
| # Also creates and saves private key. Unencrypted! | |
| printf "========= blacklakeca csr with blacklakeca.cnf ==========\n" | |
| openssl req -new -subj $casubj \ | |
| -nodes -sha512 \ | |
| -keyout $CAint'/private/blacklakeca.key.pem' \ | |
| -config $CAint'/blacklakeca.cnf' \ | |
| -out $CAint'/csr/blacklakeca.csr.pem' | |
| # Make intermediate CA private key read-only by current user | |
| chmod 400 $CAint'/private/blacklakeca.key.pem' | |
| # Generate the intermediate CA certificate - valid 3 yrs | |
| printf "======= Sign blacklakeca csr with rootca cert => blacklakeca cert ======\n" | |
| openssl ca -in $CAint'/csr/blacklakeca.csr.pem' \ | |
| -keyfile 'CA/private/rootca.key.pem' \ | |
| -cert 'CA/certs/rootca.cert.pem' \ | |
| -config $CAint'/blacklakeca.cnf' \ | |
| -extensions 'v3_intermediate_ca' \ | |
| -notext \ | |
| -out $CAint'/certs/blacklakeca.cert.pem' | |
| # Make intermediate CA certificate read-only by all users | |
| chmod 444 $CAint'/certs/blacklakeca.cert.pem' | |
| # Show the intermediate CA certificate | |
| openssl x509 -noout -text \ | |
| -in $CAint'/certs/blacklakeca.cert.pem' | |
| openssl verify -CAfile 'CA/certs/rootca.cert.pem' \ | |
| $CAint'/certs/blacklakeca.cert.pem' | |
| # Cert chain | |
| cat $CAint'/certs/blacklakeca.cert.pem' \ | |
| 'CA/certs/rootca.cert.pem' > $CAint'/certs/blacklakeca-chain.cert.pem' | |
| chmod 444 $CAint'/certs/blacklakeca-chain.cert.pem' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Run: ./setup_rootca.sh | |
| # will run in user's home dir | |
| cd /home/$(whoami) | |
| casubj='/C=US/ST=Texas/L=Arlington/O=BlackLakeSoftware/OU=CertMan/CN=rootca/[email protected]' | |
| SRC='/vagrant/client_files' | |
| # Install configuration file | |
| cp $SRC'/openssl/CA/rootca.cnf' 'CA/rootca.cnf' | |
| chmod 644 'CA/rootca.cnf' | |
| # Build the root CA certificate | |
| printf "========= Building root CA with rootca.cnf ==========\n" | |
| openssl req -new -subj $casubj \ | |
| -nodes -newkey rsa:4096 \ | |
| -keyout 'CA/private/rootca.key.pem' \ | |
| -x509 \ | |
| -config 'CA/rootca.cnf' \ | |
| -extensions 'v3_ca' \ | |
| -out 'CA/certs/rootca.cert.pem' | |
| # Make root CA certificate read only by all users | |
| chmod 444 'CA/certs/rootca.cert.pem' | |
| # Show the rootca cert | |
| openssl x509 -noout -text \ | |
| -in 'CA/certs/rootca.cert.pem' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Run: ./stratus_server_cert.sh | |
| # will run in user's home dir | |
| cd /home/$(whoami) | |
| servsubj='/C=US/ST=Texas/L=Arlington/O=BlackLakeSoftware/OU=Apps/CN=stratus' | |
| SRC='/vagrant/client_files' | |
| CAint='CA/intermediate' | |
| # Install configuration file | |
| cp $SRC'/openssl/CA/server.cnf' $CAint'/server.cnf' | |
| chmod 644 $CAint'/server.cnf' | |
| # Build Server Certificate | |
| printf "========= Server certificate with server.cnf ==========\n" | |
| # Generate Server csr | |
| # Also creates and saves private key. Unencrypted! | |
| printf "========= Server csr with server.cnf ==========\n" | |
| openssl req -new -subj $servsubj \ | |
| -nodes -sha512 \ | |
| -keyout $CAint'/private/stratus.key.pem' \ | |
| -config $CAint'/server.cnf' \ | |
| -out $CAint'/csr/stratus.csr.pem' | |
| # Make Server private key read-only by current user | |
| chmod 400 $CAint'/private/stratus.key.pem' | |
| # Generate the Server certificate - valid 1 year | |
| printf "========= Use blacklake CA to generate Server cert ==========\n" | |
| openssl ca -in $CAint'/csr/stratus.csr.pem' \ | |
| -keyfile $CAint'/private/blacklakeca.key.pem' \ | |
| -cert $CAint'/certs/blacklakeca.cert.pem' \ | |
| -config $CAint'/server.cnf' \ | |
| -extensions 'server_cert' \ | |
| -notext \ | |
| -out $CAint'/certs/stratus.cert.pem' | |
| # Make Server certificate read-only by all users | |
| chmod 444 $CAint'/certs/stratus.cert.pem' | |
| # Show the Server certificate | |
| openssl x509 -noout -text \ | |
| -in $CAint'/certs/stratus.cert.pem' | |
| openssl verify -CAfile $CAint'/certs/blacklakeca-chain.cert.pem' \ | |
| $CAint'/certs/stratus.cert.pem' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment