Skip to content

Instantly share code, notes, and snippets.

@teramako

teramako/#CertificateGenerator.md

Last active June 25, 2025 14:41
Show Gist options
  • Save teramako/9352b4ab5860204b7d9f66119b33060b to your computer and use it in GitHub Desktop.
Save teramako/9352b4ab5860204b7d9f66119b33060b to your computer and use it in GitHub Desktop.
Download ZIP
Certificates Generator
Raw
#CertificateGenerator.md

Certificate Generator

Raw
.gitignore
*.srl
*.pem
*.csr
*.csx
Raw
Makefile
#
# Certificates Generator
#
BIT ?= 2048
EC ?= 0
EC_NAME ?= prime256v1
CA_SUBJECT ?= "/CN=OreOre CA/C=JP/ST=Tokyo/O=OreOre"
SERVER_SUBJECT ?= "/CN=Server Certificate/C=JP/ST=Tokyo/O=OreOre"
CLIENT_SUBJECT ?= "/CN=Client Certificate/C=JP/ST=Tokyo/O=OreOre"
DAYS ?= 365
CA ?= ca
CA_KEY ?= $(CA)-key.pem
CA_CSR ?= $(CA).csr
CA_EXT ?= $(CA).csx
CA_CERT ?= $(CA).pem
CA_P12 ?= $(CA).p12
SERVER ?= server
SERVER_KEY ?= $(SERVER)-key.pem
SERVER_CSR ?= $(SERVER).csr
SERVER_EXT ?= $(SERVER).csx
SERVER_CERT ?= $(SERVER).pem
SERVER_P12 ?= $(SERVER).p12
SAN ?= "DNS:localhost, IP:127.0.0.1"
CLIENT ?= client
CLIENT_KEY ?= $(CLIENT)-key.pem
CLIENT_CSR ?= $(CLIENT).csr
CLIENT_EXT ?= $(CLIENT).csx
CLIENT_CERT ?= $(CLIENT).pem
CLIENT_P12 ?= $(CLIENT).p12
P12_PASSWORD ?= pkcs12_password
CA_SERIAL := $(basename $(CA_CERT)).crl
SHELL = bash
.ONESHELL:
.PHONY: help
help: ## Display this help
@echo "Targets:"
grep -E '^[a-zA-Z_-][a-zA-Z0-9_/-]+:.*?## .*$$' /dev/null $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":|## "}; {printf " %-20s %s\n", $$(NF-2), $$NF}'
echo ""
echo "Variables:"
echo " EC=$(EC) EC_NAME=$(EC_NAME): Generate Key as ECDSA($(EC_NAME)) instead of RSA if the value is not 0"
echo " BIT=$(BIT) : Specify RSA Key bits length"
echo " CA=$(CA) : Specify CA base name"
echo " CA_KEY=$(CA_KEY) : CA private key"
echo " CA_CERT=$(CA_CERT) : CA Certificate file"
echo " CA_SUBJECT=$(CA_SUBJECT)"
echo " SERVER=$(SERVER) : Specify Server Certificate base name"
echo " SERVER_KEY=$(SERVER_KEY) : Server private key"
echo " SERVER_CERT=$(SERVER_CERT) : Server Certificate file"
echo " SERVER_SUBJECT=$(SERVER_SUBJECT)"
echo " SAN=$(SAN)"
echo " CLIENT=$(CLIENT) : Specify Client Certificate base name"
echo " CLIENT_KEY=$(CLIENT_KEY) : Client private key"
echo " CLIENT_CERT=$(CLIENT_CERT) : Client Certificate file"
echo " CLIENT_SUBJECT=$(CLIENT_SUBJECT)"
echo ""
echo "Example:"
echo " 1. Generate CA with ECDSA key"
echo " $$ make EC=1 ca"
echo " 2. Generate CA with RSA 4096 bit"
echo " $$ make BIT=4096 ca"
echo " 3. Generate Server Certificate as \"foo\" name"
echo " $$ make SERVER=foo server-cert"
echo ""
.PHONY: all
all: ca server-cert client-cert ## Generate All Certificates (CA, Server and Client)
.PHONY: clean/ca
clean/ca: ## Remove CA files
@rm -vf $(CA_KEY) $(CA_CSR) $(CA_EXT) $(CA_CERT) $(CA_P12)
.PHONY: clean/server
clean/server: ## Remove server files
@rm -vf $(SERVER_KEY) $(SERVER_CSR) $(SERVER_EXT) $(SERVER_CERT) $(SERVER_P12)
.PHONY: clean/client
clean/client: ## Remove client files
@rm -vf $(CLIENT_KEY) $(CLIENT_CSR) $(CLIENT_EXT) $(CLIENT_CERT) $(CLIENT_P12)
.PHONY: clean
clean: clean/server clean/client clean/ca ## Remove all
# -----------------------------------------------------------------------------
# Private Keys
# -----------------------------------------------------------------------------
$(CA_KEY) $(SERVER_KEY) $(CLIENT_KEY):
ifeq ($(EC),0)
@echo "πŸš€ Generate private key (RSA): $@"
openssl genrsa -out $@ $(BIT)
else
@echo "πŸš€ Generate private key (ECDSA): $@"
openssl ecparam -genkey -name prime256v1 -out $@
endif
# -----------------------------------------------------------------------------
# CA
# -----------------------------------------------------------------------------
.PHONY: ca
ca: $(CA_CERT) ## Generate CA Certificate and show
@echo "========== CA Certificate: $< =========="
echo -ne "\e[33m"
openssl x509 -in $< -text -noout
echo -ne "\e[0m"
.SECONDARY: $(CA_CSR)
$(CA_CSR): ca-key.pem
@echo "πŸš€ Generate CA CSR: $@"
openssl req -new -out $@ -key $< -subj $(CA_SUBJECT) -nodes
.SECONDARY: $(CA_EXT)
$(CA_EXT):
@echo "πŸš€ Generate CA x509 v3 extension file: $@"
cat <<-EOF > $@
basicConstraints = critical, CA:TRUE
keyUsage = cRLSign, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
EOF
$(CA_CERT): $(CA_KEY) $(CA_CSR) $(CA_EXT)
@echo "πŸš€ Generate CA Certificate: $@"
openssl x509 -req -days $(DAYS) -signkey $(CA_KEY) -in $(CA_CSR) -extfile $(CA_EXT) -out $@
.PHONY: ca-pkcs12
ca-pkcs12: $(CA_P12) ## Export CA Certificates as PKCS12 format
@echo "========== CA Certificate (PKCS12): $< =========="
echo -ne "\e[33m"
openssl pkcs12 -info -in $< -nodes -password file:$(P12_PASSWORD)
echo -ne "\e[0m"
$(CA_P12): $(CA_CERT) $(CA_KEY) $(CA_CERT) $(P12_PASSWORD)
@echo "πŸš€ Export CA Certificate as PKCS12: $@"
openssl pkcs12 -export -inkey $(CA_KEY) -in $(CA_CERT) -password file:$(P12_PASSWORD) -out $@
# -----------------------------------------------------------------------------
# SERVER
# -----------------------------------------------------------------------------
.PHONY: server-cert
server-cert: $(SERVER_CERT) ## Generate Server Certificate and show
@echo "========== Server Certificate: $< =========="
echo -ne "\e[33m"
openssl x509 -in $< -text -noout
echo -ne "\e[0m"
.SECONDARY: $(SERVER_CSR)
$(SERVER_CSR): $(SERVER_KEY)
@echo "πŸš€ Generate Server CSR: $@"
openssl req -new -out $@ -key $< -subj $(SERVER_SUBJECT) -nodes
.SECONDARY: $(SERVER_EXT)
$(SERVER_EXT):
@echo "πŸš€ Generate Server x509 v3 extension file: $@"
cat <<-EOF > $@
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
subjectAltName = $(SAN)
EOF
$(SERVER_CERT): $(SERVER_KEY) $(CA_CERT) $(CA_KEY) $(SERVER_CSR) $(SERVER_EXT)
@echo "πŸš€ Generate Server Certificate: $@"
if test -f $(CA_SERIAL); then
openssl x509 -req -days $(DAYS) -CA $(CA_CERT) -CAkey $(CA_KEY) -CAserial $(CA_SERIAL) -in $(SERVER_CSR) -extfile $(SERVER_EXT) -out $@
else
openssl x509 -req -days $(DAYS) -CA $(CA_CERT) -CAkey $(CA_KEY) -CAcreateserial -in $(SERVER_CSR) -extfile $(SERVER_EXT) -out $@
fi
.PHONY: server-pkcs12
server-pkcs12: $(SERVER_P12) ## Export Server Certificates as PKCS12 format
@echo "========== Server Certificate (PKCS12): $< =========="
echo -ne "\e[33m"
openssl pkcs12 -info -in $< -nodes -password file:$(P12_PASSWORD)
echo -ne "\e[0m"
$(SERVER_P12): $(SERVER_CERT) $(SERVER_KEY) $(CA_CERT) $(P12_PASSWORD)
@echo "πŸš€ Export Server Certificate as PKCS12: $@"
openssl pkcs12 -export -inkey $(SERVER_KEY) -in $(SERVER_CERT) -CAfile $(CA_CERT) -password file:$(P12_PASSWORD) -out $@
# -----------------------------------------------------------------------------
# Client
# -----------------------------------------------------------------------------
.PHONY: client-cert
client-cert: $(CLIENT_CERT) ## Generate Client Certificate and show
@echo "========== Client Certificate: $< =========="
echo -ne "\e[33m"
openssl x509 -in $< -text -noout
echo -ne "\e[0m"
.SECONDARY: $(CLIENT_CSR)
$(CLIENT_CSR): $(CLIENT_KEY)
@echo "πŸš€ Generate Client CSR: $@"
openssl req -new -out $@ -key $< -subj $(CLIENT_SUBJECT) -nodes
.SECONDARY: $(CLIENT_EXT)
$(CLIENT_EXT):
@echo "πŸš€ Generate Client x509 v3 extension file: $@"
cat <<-EOF > $@
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyAgreement
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
EOF
$(CLIENT_CERT): $(CLIENT_KEY) $(CA_CERT) $(CA_KEY) $(CLIENT_CSR) $(CLIENT_EXT)
@echo "πŸš€ Generate Client Certificate: $@"
if test -f $(CA_SERIAL); then
openssl x509 -req -days $(DAYS) -CA $(CA_CERT) -CAkey $(CA_KEY) -CAserial $(CA_SERIAL) -in $(CLIENT_CSR) -extfile $(CLIENT_EXT) -out $@
else
openssl x509 -req -days $(DAYS) -CA $(CA_CERT) -CAkey $(CA_KEY) -CAcreateserial -in $(CLIENT_CSR) -extfile $(CLIENT_EXT) -out $@
fi
.PHONY: client-pkcs12
client-pkcs12: $(CLIENT_P12) ## Export Client Certificates as PKCS12 format
@echo "========== Client Certificate (PKCS12): $< =========="
echo -ne "\e[33m"
openssl pkcs12 -info -in $< -nodes -password file:$(P12_PASSWORD)
echo -ne "\e[0m"
$(CLIENT_P12): $(CLIENT_CERT) $(CLIENT_KEY) $(CA_CERT) $(P12_PASSWORD)
@echo "πŸš€ Export Client Certificate as PKCS12: $@"
openssl pkcs12 -export -inkey $(CLIENT_KEY) -in $(CLIENT_CERT) -CAfile $(CA_CERT) -password file:$(P12_PASSWORD) -out $@
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment