OpenSSL Self-Signed CA

self_signed_ca.sh

#
# quick and dirty commands to set up a new self-signed CA using OpenSSL 
#
mkdir certs crl newcerts private
touch ./certs.db
touch ./certs.db.attr
echo 00 > ./certs.seq

cat > ca.cnf << EOF
[ca]
default_ca = my_ca_default

[my_ca_default]
new_certs_dir = ./certs
database = ./certs.db
default_md = md5
policy = my_ca_policy
serial = ./certs.seq

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true

[ crl_ext ]
authorityKeyIdentifier = keyid:always,issuer:always

[ my_ca_policy ]
countryName = match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName = supplied
emailAddress = optional
EOF

openssl req  -new -keyout ca_key.pem -out ca_req.pem
openssl rsa -in ca_key.pem -out ca_key_nopasswd.pem
openssl ca -config ca.cnf -out ca_crt.pem -days 3650 -batch -keyfile ca_key_nopasswd.pem -selfsign -extensions v3_ca -infiles ca_req.pem

# print out cert
openssl x509 -in ca_crt.pem -text -noout