Skip to content

Instantly share code, notes, and snippets.

@adampielak

adampielak/Create CA and CA-Signed Certificates.md

Forked from LubinLew/Create CA and CA-Signed Certificates.md
Created October 4, 2023 21:22
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save adampielak/d220b34eae501ead1c4f5f74f79527dd to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save adampielak/d220b34eae501ead1c4f5f74f79527dd to your computer and use it in GitHub Desktop.
Download ZIP
Create CA and CA-Signed Certificates
Raw
Create CA and CA-Signed Certificates.md

Create CA and CA-Signed Certificates

Create CA

#!/bin/bash
set -e
cd `dirname $0`
##########################################################
# Shell Variable         | Explanations        |   abbr. #
#------------------------|---------------------|---------#
#  CN                    | CommonName          |   CN    #
#  COUNTRY_CODE          | CountryName         |   C     #
#  LOCALITY              | Locality            |   L     #
#  STATE_OR_PROVINCENAME | StateOrProvinceName |   S/ST  #
#  ORGANIZATION          | Organization        |   O     #
#  ORGANIZATIONALUNIT    | OrganizationalUnit  |   OU    #
#  EMAIL                 | email               |   E     #
##########################################################
CN="Local Root CA"
COUNTRY_CODE="CN"
LOCALITY="Beijing"
STATE_OR_PROVINCENAME="Beijing"
ORGANIZATION="Company Co.,Ltd."
ORGANIZATIONALUNIT="IT Unit"
EMAIL="[email protected]"
############################################################
CAPATH="CA"


function msg() {
    CURTIME=$(date "+%Y-%m-%d %H:%M:%S")
    echo -e "\033[1;32m[${CURTIME}] $1\033[0m"
}

############################################################
rm -rf ${CAPATH} > /dev/null
mkdir  ${CAPATH} > /dev/null

msg "Generating CA Private Key ..."
openssl genrsa -out ${CAPATH}/CA.key 4096
openssl rsa -in ${CAPATH}/CA.key -check -noout

cat > ${CAPATH}/CA.cnf <<EOF
[req]
prompt = no
default_md = sha256
default_bits = 4096
req_extensions = req_ext
distinguished_name = dn

[dn]
CN = ${CN}
C = ${COUNTRY_CODE}
L = ${LOCALITY}
ST = ${STATE_OR_PROVINCENAME}
O = ${ORGANIZATION}
OU = ${ORGANIZATIONALUNIT}
emailAddress = ${EMAIL}

[req_ext]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
EOF

msg "Generating Certificate ..."
openssl req -new -x509 -days 3650 \
  -extensions req_ext      \
  -config ${CAPATH}/CA.cnf \
  -key ${CAPATH}/CA.key    \
  -out ${CAPATH}/CA.crt

openssl x509 -in ${CAPATH}/CA.crt -noout -fingerprint -startdate -enddate -issuer -hash

#####################################################
# Verify
## https://www.ibm.com/support/pages/how-verify-if-private-key-matches-certificate
KEY_MODULUS=$(openssl rsa  -noout -modulus -in ${CAPATH}/CA.key | openssl md5)
CRT_MODULUS=$(openssl x509 -noout -modulus -in ${CAPATH}/CA.crt | openssl md5)
if [ "${KEY_MODULUS}" == "${CRT_MODULUS}" ] ; then
  msg "Success"
else
  msg "Verification Failed !!!"
fi

Create CA-Signed Certificates

#!/bin/bash
set -e
cd `dirname $0`
##########################################################
# Shell Variable         | Explanations        |   abbr. #
#------------------------|---------------------|---------#
#  CN                    | CommonName          |   CN    #
#  COUNTRY_CODE          | CountryName         |   C     #
#  LOCALITY              | Locality            |   L     #
#  STATE_OR_PROVINCENAME | StateOrProvinceName |   S/ST  #
#  ORGANIZATION          | Organization        |   O     #
#  ORGANIZATIONALUNIT    | OrganizationalUnit  |   OU    #
#  EMAIL                 | email               |   E     #
##########################################################
CN="cert.example.com"
COUNTRY_CODE="CN"
LOCALITY="Beijing"
STATE_OR_PROVINCENAME="Beijing"
ORGANIZATION="Company Co.,Ltd."
ORGANIZATIONALUNIT="Some Unit"
EMAIL="[email protected]"

##########################################################
# The Subject Alternative Name (SAN) is an extension to  #
# the X.509 specification that allows users to specify   #
# additional host names for a single SSL certificate.    #
##########################################################
#DNS=("example.com")
#DNS=("*.example.com" "a.test.com")
DNS=()

#IPS=("1.2.3.4")
#IPS=("192.168.12.12" "10.2.8.7", "172.23.0.1")
IPS=()

##########################################################
# How long till expiry of a signed certificate
DAYS=3650

# CA
CA_CRT="CA/CA.crt"
CA_KEY="CA/CA.key"
##########################################################

function msg() {
    CURTIME=$(date "+%Y-%m-%d %H:%M:%S")
    echo -e "\033[1;32m[${CURTIME}] $1\033[0m"
}

#####################################################
# Prepare
rm -rf ${CN} > /dev/null
mkdir  ${CN} > /dev/null

#####################################################
# Create Private Key
msg "Generating Private Key ..."
openssl genrsa -out ${CN}/${CN}.key 4096
openssl rsa -in ${CN}/${CN}.key -check -noout

#####################################################
# Create Certificate Config
cat > ${CN}/${CN}.cnf <<EOF
[req]
prompt = no
distinguished_name = dn

[dn]
CN = ${CN}
C = ${COUNTRY_CODE}
L = ${LOCALITY}
ST = ${STATE_OR_PROVINCENAME}
O = ${ORGANIZATION}
OU = ${ORGANIZATIONALUNIT}
emailAddress = ${EMAIL}
EOF


ALTNAME="DNS:${CN}"

for elt in ${DNS[@]} ; do
  ALTNAME="${ALTNAME}, DNS:${elt}"
done

for ip in ${IPS[@]} ; do
  ALTNAME="${ALTNAME}, IP:${ip}"
done

cat > ${CN}/${CN}.ext << EOF
subjectAltName = ${ALTNAME}
EOF

#####################################################
# Create CSR
msg "Generating Certificate Signing Request File ..."
openssl req -new -config ${CN}/${CN}.cnf -key ${CN}/${CN}.key -out ${CN}/${CN}.csr
openssl req -noout -verify -in ${CN}/${CN}.csr
#####################################################
# Create Certificate
msg "Generating Certificate ..."
openssl x509 -req -days ${DAYS}  \
  -CA ${CA_CRT} -CAkey ${CA_KEY} \
  -in  ${CN}/${CN}.csr           \
  -out ${CN}/${CN}.crt           \
  -extfile ${CN}/${CN}.ext       \
  -CAcreateserial

openssl x509 -in ${CN}/${CN}.crt -noout -fingerprint -startdate -enddate -issuer -hash -checkemail ${EMAIL}
#####################################################
# Verify
## https://www.ibm.com/support/pages/how-verify-if-private-key-matches-certificate
KEY_MODULUS=$(openssl rsa  -noout -modulus -in ${CN}/${CN}.key | openssl md5)
CRT_MODULUS=$(openssl x509 -noout -modulus -in ${CN}/${CN}.crt | openssl md5)
if [ "${KEY_MODULUS}" == "${CRT_MODULUS}" ] ; then
  msg "Success"
else
  msg "Verification Failed !!!"
fi

Easy Command Line

# CA
openssl req -x509 -new -nodes \
  -newkey rsa:4096 -keyout rootCA.key \
  -out rootCA.crt
  -batch -subj "/C=US/ST=CA/O=Wazuh"

# Sign
openssl req -new -nodes -newkey rsa:4096 \
  -keyout client/client.key -out client/client.csr \
  -subj "/CN=client/C=US/ST=CA/O=Org/OU=Unit"

openssl x509 -req -days 365 \
  -in client/client.csr \
  -CA CA/CA.crt -CAkey CA/CA.key \
  -out client/client.crt \
  -CAcreateserial
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment