Created
November 24, 2024 08:21
-
-
Save anubhavg-icpl/7acfafaab5330946383de83bfdba7931 to your computer and use it in GitHub Desktop.
A certficate generator for communication can be use for internal.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # create-ca.sh - Script to create a Certificate Authority and generate certificates | |
| # Create directory structure | |
| mkdir -p ca/{root-ca,intermediate-ca,certs,private,crl,csr} | |
| chmod 700 ca/private | |
| # Create root CA configuration file | |
| cat > ca/root-ca.conf << EOL | |
| [ req ] | |
| default_bits = 4096 | |
| default_md = sha256 | |
| prompt = no | |
| encrypt_key = yes | |
| distinguished_name = req_distinguished_name | |
| x509_extensions = v3_ca | |
| [ req_distinguished_name ] | |
| countryName = US | |
| stateOrProvinceName = YourState | |
| localityName = YourCity | |
| organizationName = YourOrganization | |
| organizationalUnitName = YourUnit | |
| commonName = YourCompany Root CA | |
| emailAddress = [email protected] | |
| [ v3_ca ] | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid:always,issuer:always | |
| basicConstraints = critical, CA:true | |
| keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
| EOL | |
| # Create intermediate CA configuration | |
| cat > ca/intermediate-ca.conf << EOL | |
| [ req ] | |
| default_bits = 4096 | |
| default_md = sha256 | |
| prompt = no | |
| encrypt_key = yes | |
| distinguished_name = req_distinguished_name | |
| x509_extensions = v3_intermediate_ca | |
| [ req_distinguished_name ] | |
| countryName = US | |
| stateOrProvinceName = YourState | |
| localityName = YourCity | |
| organizationName = YourOrganization | |
| organizationalUnitName = YourUnit | |
| commonName = YourCompany Intermediate CA | |
| emailAddress = [email protected] | |
| [ v3_intermediate_ca ] | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid:always,issuer:always | |
| basicConstraints = critical, CA:true, pathlen:0 | |
| keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
| EOL | |
| # Create server certificate configuration | |
| cat > ca/server-cert.conf << EOL | |
| [ req ] | |
| default_bits = 2048 | |
| default_md = sha256 | |
| prompt = no | |
| encrypt_key = no | |
| distinguished_name = req_distinguished_name | |
| req_extensions = v3_req | |
| [ req_distinguished_name ] | |
| countryName = US | |
| stateOrProvinceName = YourState | |
| localityName = YourCity | |
| organizationName = YourOrganization | |
| organizationalUnitName = YourUnit | |
| commonName = your-domain.com | |
| emailAddress = [email protected] | |
| [ v3_req ] | |
| basicConstraints = CA:FALSE | |
| keyUsage = critical, digitalSignature, keyEncipherment | |
| extendedKeyUsage = serverAuth, clientAuth | |
| subjectAltName = @alt_names | |
| [ alt_names ] | |
| DNS.1 = your-domain.com | |
| DNS.2 = *.your-domain.com | |
| DNS.3 = localhost | |
| IP.1 = 127.0.0.1 | |
| EOL | |
| # Function to generate Root CA | |
| generate_root_ca() { | |
| echo "Generating Root CA..." | |
| # Generate Root CA private key | |
| openssl genrsa -aes256 -out ca/private/root-ca.key 4096 | |
| chmod 400 ca/private/root-ca.key | |
| # Generate Root CA certificate | |
| openssl req -config ca/root-ca.conf \ | |
| -key ca/private/root-ca.key \ | |
| -new -x509 -days 7300 \ | |
| -sha256 -extensions v3_ca \ | |
| -out ca/root-ca/root-ca.crt | |
| } | |
| # Function to generate Intermediate CA | |
| generate_intermediate_ca() { | |
| echo "Generating Intermediate CA..." | |
| # Generate Intermediate CA private key | |
| openssl genrsa -aes256 -out ca/private/intermediate-ca.key 4096 | |
| chmod 400 ca/private/intermediate-ca.key | |
| # Generate Intermediate CA CSR | |
| openssl req -config ca/intermediate-ca.conf \ | |
| -new -sha256 \ | |
| -key ca/private/intermediate-ca.key \ | |
| -out ca/csr/intermediate-ca.csr | |
| # Sign Intermediate CA certificate with Root CA | |
| openssl x509 -req \ | |
| -in ca/csr/intermediate-ca.csr \ | |
| -CA ca/root-ca/root-ca.crt \ | |
| -CAkey ca/private/root-ca.key \ | |
| -CAcreateserial \ | |
| -out ca/intermediate-ca/intermediate-ca.crt \ | |
| -days 3650 \ | |
| -sha256 \ | |
| -extfile ca/intermediate-ca.conf \ | |
| -extensions v3_intermediate_ca | |
| } | |
| # Function to generate server certificate | |
| generate_server_cert() { | |
| local domain=$1 | |
| echo "Generating server certificate for $domain..." | |
| # Replace domain in config | |
| sed -i "s/your-domain.com/$domain/g" ca/server-cert.conf | |
| # Generate server private key | |
| openssl genrsa -out ca/private/$domain.key 2048 | |
| chmod 400 ca/private/$domain.key | |
| # Generate server CSR | |
| openssl req -config ca/server-cert.conf \ | |
| -key ca/private/$domain.key \ | |
| -new -sha256 -out ca/csr/$domain.csr | |
| # Sign server certificate with Intermediate CA | |
| openssl x509 -req \ | |
| -in ca/csr/$domain.csr \ | |
| -CA ca/intermediate-ca/intermediate-ca.crt \ | |
| -CAkey ca/private/intermediate-ca.key \ | |
| -CAcreateserial \ | |
| -out ca/certs/$domain.crt \ | |
| -days 365 \ | |
| -sha256 \ | |
| -extfile ca/server-cert.conf \ | |
| -extensions v3_req | |
| # Create certificate chain file | |
| cat ca/certs/$domain.crt \ | |
| ca/intermediate-ca/intermediate-ca.crt \ | |
| ca/root-ca/root-ca.crt > ca/certs/$domain.chain.crt | |
| } | |
| # Main execution | |
| echo "Starting CA setup..." | |
| generate_root_ca | |
| generate_intermediate_ca | |
| # Example usage for generating server certificate | |
| # Uncomment and modify domain as needed | |
| # generate_server_cert "example.com" | |
| echo "CA setup complete!" | |
| echo "Root CA certificate: ca/root-ca/root-ca.crt" | |
| echo "Intermediate CA certificate: ca/intermediate-ca/intermediate-ca.crt" | |
| echo "Generated certificates will be in ca/certs/" |
Author
anubhavg-icpl
commented
Nov 24, 2024
Certificate Authority (CA) Setup Tool
A robust toolkit for creating and managing a complete Certificate Authority infrastructure, including Root CA, Intermediate CA, and server certificates.
Features
- Complete PKI infrastructure setup
- Three-tier certificate hierarchy (Root CA → Intermediate CA → Server Certificates)
- Secure configuration templates
- Automated certificate chain generation
- Password-protected private keys
- Configurable certificate attributes
Prerequisites
- OpenSSL (>= 1.1.1)
- Bash shell
- Linux/Unix environment
Quick Start
-
Download this script and then save it out:
-
Make the script executable:
chmod +x create-ca.sh- Run the setup script:
./create-ca.shDirectory Structure
ca/
├── root-ca/ # Root CA certificates
├── intermediate-ca/ # Intermediate CA certificates
├── certs/ # Server certificates
├── private/ # Private keys (restricted access)
├── crl/ # Certificate revocation lists
└── csr/ # Certificate signing requests
Security Considerations
- Store the Root CA private key in a secure, offline location
- Use strong passwords for CA private keys
- Keep the Intermediate CA private key secure but accessible
- Regular backup of the CA infrastructure
- Maintain secure access controls on private key directory
Usage Examples
Generate a server certificate:
generate_server_cert "example.com"The generated files will be:
- Private key:
ca/private/example.com.key - Certificate:
ca/certs/example.com.crt - Chain file:
ca/certs/example.com.chain.crt
License
MIT License
Security Advisories
- This toolkit is for development and testing purposes
- For production use, implement additional security measures
- Follow your organization's security policies
- Regular security audits are recommended
Contributing
- Fork the repository
- Create your feature branch
- Submit a pull request
Support
For issues and feature requests, please open an issue in the repository.
For detailed documentation, visit the Wiki
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment