first commit

Author: Craig Hicks

README.md

@@ -0,0 +1 @@
+# private-CA-script

ca.sh

@@ -0,0 +1,163 @@
+#!/bin/bash
+
+set -euo pipefail
+
+
+ca_build()
+(
+
+    function finish {
+        # Your cleanup code here
+        echo "finish"
+        exit 0
+    }
+    trap finish EXIT
+
+    
+
+    local CaRoot=/root/ca
+    local Imed=/root/ca/intermediate
+    local ScriptDir=/root/ca-scripts
+
+    echo_script()
+    {
+        while read line; do
+            if [[ -z $line ]]; then continue; fi
+            echo ">>>>>>"
+            echo ">>>>>> $line"
+            eval "$line"
+            rc=$?
+            if [[ $rc -ne 0 ]]; then
+                echo "ERROR $rc stop processing"
+                return 1
+            fi
+        done
+    }
+
+
+    uninstall()
+    {
+        rm -rf $CaRoot
+    }
+
+    init_ca()
+    {
+        mkdir $CaRoot
+        cd $CaRoot
+        cp $ScriptDir/openssl-ca.cnf .
+        mkdir certs crl newcerts private
+        chmod 700 private
+        touch index.txt
+        tree $CaRoot
+        # echo 1000 > serial
+    }
+
+    init_intermediate()
+    {
+        mkdir -p $Imed
+        cd $Imed
+        cp $ScriptDir/openssl-intermediate.cnf .
+        mkdir certs crl csr newcerts private
+        chmod 700 private
+        touch index.txt
+        tree $CaRoot
+        #echo 1000 > serial
+        #echo 1000 > /root/ca/intermediate/crlnumber
+    }
+
+    make_ca_cert()
+    {
+        echo_script <<EOF_
+openssl genrsa -out $CaRoot/private/ca.key.pem 4096 # add -aes256 for password 
+chmod 400 $CaRoot/private/ca.key.pem
+openssl req -batch -config $CaRoot/openssl-ca.cnf \
+ -key $CaRoot/private/ca.key.pem \
+ -new -x509 -days 7300 -sha256 -extensions v3_ca \
+ -out $CaRoot/certs/ca.cert.pem
+chmod 444 $CaRoot/certs/ca.cert.pem
+openssl x509 -noout -text -in $CaRoot/certs/ca.cert.pem
+EOF_
+    }
+
+    make_intermediate_cert()
+    {
+        echo_script <<EOF_
+        echo_script <<EOF_
+openssl genrsa -out $Imed/private/intermediate.key.pem 4096 # add -aes256 for password
+# Create the request
+openssl req -batch -config $Imed/openssl-intermediate.cnf -new -sha256 \
+ -key $Imed/private/intermediate.key.pem \
+ -out $Imed/csr/intermediate.csr.pem
+# Sign the certificate
+openssl ca -batch -config $CaRoot/openssl-ca.cnf -extensions v3_intermediate_ca \
+ -create_serial \
+ -days 3650 -notext -md sha256 \
+ -in $Imed/csr/intermediate.csr.pem \
+ -out $Imed/certs/intermediate.cert.pem
+chmod 444 $Imed/certs/intermediate.cert.pem
+cat $CaRoot/index.txt
+# Check details
+openssl x509 -noout -text \
+ -in $Imed/certs/intermediate.cert.pem
+# Verify chain of trust
+openssl verify -CAfile $CaRoot/certs/ca.cert.pem \
+ $Imed/certs/intermediate.cert.pem
+EOF_
+
+        cat $Imed/certs/intermediate.cert.pem \
+            $CaRoot/certs/ca.cert.pem > $Imed/certs/ca-chain.cert.pem
+        chmod 444 $Imed/certs/ca-chain.cert.pem
+    }
+
+    make_usr_cert() #arg $1: unique identifier
+    {
+        if [[ -z $1 ]]; then
+            echo "unique identifier required"
+            return 1
+        fi
+        local Id=$1
+        echo_script <<EOF_
+openssl genrsa -out $Imed/private/$Id.key.pem 2048 # -aes256 left out, no password used
+chmod 400 $Imed/private/$Id.key.pem
+openssl req -batch -config $Imed/openssl-intermediate.cnf \
+ -subj "/CN=$Id" \
+ -key $Imed/private/$Id.key.pem \
+ -new -sha256 -out $Imed/csr/$Id.csr.pem
+
+openssl ca -batch -config $Imed/openssl-intermediate.cnf \
+ -create_serial \
+ -extensions usr_cert -days 375 -notext -md sha256 \
+ -in $Imed/csr/$Id.csr.pem \
+ -out $Imed/certs/$Id.cert.pem
+chmod 444 $Imed/certs/$Id.cert.pem
+
+cat $Imed/index.txt
+
+# Check details
+openssl x509 -noout -text \
+ -in $Imed/certs/$Id.cert.pem
+
+# Verify chain of trust
+openssl verify -CAfile $Imed/certs/ca-chain.cert.pem \
+ $Imed/certs/$Id.cert.pem
+
+EOF_
+    }
+
+    test()
+    {
+        echo_script <<EOF_
+        uninstall
+        init_ca
+        make_ca_cert
+        init_intermediate
+        make_intermediate_cert
+        make_usr_cert my-client
+EOF_
+        
+    }
+
+    ${@}
+
+)
+

git-init.sh

@@ -0,0 +1,6 @@
+echo "# private-CA-script" >> README.md
+git init
+git add README.md *.sh *.cnf
+git commit -m "first commit"
+git remote add origin [email protected]:craigphicks/private-CA-script.git
+git push -u origin master

openssl-ca.cnf

@@ -0,0 +1,133 @@
+# OpenSSL root CA configuration file.
+# Copy to `/root/ca/openssl.cnf`.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = /root/ca
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/private/ca.key.pem
+certificate       = $dir/certs/ca.cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/ca.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = US
+stateOrProvinceName_default     = XXX
+localityName_default            =
+0.organizationName_default      = Pinder
+organizationalUnitName_default  =
+emailAddress_default            =
+commonName_default              = my.intermediate                    
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning