Generate your own CA and sign certs fast. (maybe I should rename it to "not-so-easy-rsa" or "hardcore-rsa"?)
Generate your own CA and sign certs fast.
Works under macOS and (generic) Linux. Depends on dialog(1)
.
brew install dialog
apt install dialog
Then clone this repo.
First copy config.template.sh
to config.sh
, change the settings as your wish.
Execute all the following lines under this directory, do not cd
to elsewhere.
./00-prepare-ca.sh
If you need extra configuration on OpenSSL, now edit $SELFCA_ROOT/openssl.cnf
.
Add the following content to v3_intermediate_ca
section of $SELFCA_ROOT/openssl.cnf
:
crlDistributionPoints = URI:http://example.com/root.crl.pem
You will be asked for Root CA key pass phrase twice.
./01-create-ca.sh
./02-prepare-intermediate.sh
If you need extra configuration on OpenSSL, now edit $SELFCA_ROOT/$INTERMEDIATE_CERT_NAME/openssl.conf
.
Add the following content to both user_cert
and server_cert
section of $SELFCA_ROOT/$INTERMEDIATE_CERT_NAME/openssl.conf
:
crlDistributionPoints = URI:http://example.com/intermediate.crl.pem
You will be asked for Intermediate CA key pass phrase twice, then Root CA key pass phrase once. You will be asked if OK to sign, otherwise OpenSSL failed to generate key or CSR.
./03-create-intermediate.sh
Using www.example.com as example domain.
Note: to do this on webserver (to prevent private key leaking), package this repo and the $SELFCA_ROOT
folder together, emitting any key file (extension in .key.pem
), and put them to webserver.
./04-create-private-key-and-csr.sh /path/to/your/ssl/key/www.example.com
This will generate 2 files: www.example.com.key.pem
and www.example.com.csr.pem
under folder /path/to/your/ssl/key/
.
Note: if your private key is generated on another machine, transfer www.example.com.csr.pem
back to the machine where intermediate CA keys exist.
You will be asked if OK to sign. If not, then OpenSSL failed to generate key or CSR.
./05-sign-cert.sh www.example.com.csr.pem www.example.com.cert.pem 365
This will generate www.example.com.cert.pem
.
cat www.example.com.cert.pem $SELFCA_ROOT/$INTERMEDIATE_CERT_NAME/certs/$INTERMEDIATE_CERT_NAME-ca-chain.cert.pem > chain.cert.pem
use chain.cert.pem
as certificate file and www.example.com.key.pem
as certificate key.
If you only enabled CRL for one CA, you only need to run one command. If you didn't set up CRL, you can safely ignore this.
./06-create-ca-crl.sh
./07-create-intermediate-crl.sh
CRLs are signed with corresponding private keys so you need to input pass phrase.
Get CRL file from $SELFCA_ROOT/crl/
and $SELFCA_ROOT/$INTERMEDIATE_CERT_NAME/crl
, put them to the correct location.
Distribute $SELFCA_ROOT/ca/root.cert.pem
to PCs and install them. (You may need to change the extension to .crt
for better compatiblity.)
If any step failed, check: