-
-
Save dakatsuka/1765407 to your computer and use it in GitHub Desktop.
openssl private CA management script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| OPENSSL = openssl | |
| DAYS = -days 3652 | |
| CADAYS = -days 3652 | |
| REQ = $(OPENSSL) req | |
| CA = $(OPENSSL) ca | |
| VERIFY = $(OPENSSL) verify | |
| X509 = $(OPENSSL) x509 | |
| # must be absolute path | |
| CATOP = $(PWD)/ca | |
| CA_CERT_REQ_FILE = $(CATOP)/careq.pem | |
| CA_CERT_KEY_FILE = $(CATOP)/private/cakey.pem | |
| CA_CERT_FILE = $(CATOP)/cacert.pem | |
| CRL_LINK = $(CATOP)/crl/crl.pem | |
| CRL_FILE = $(CATOP)/crl/crl$(shell cat $(CATOP)/crlnumber).pem | |
| ifneq '$(CERT)' '' | |
| CERT_REQ_FILE = certificate_requests/$(CERT).pem | |
| CERT_KEY_FILE = private/$(CERT).pem | |
| CERT_FILE = public/$(CERT).pem | |
| else | |
| CERT_REQ_FILE = certificate_requests/newreq.pem | |
| CERT_KEY_FILE = private/newkey.pem | |
| CERT_FILE = public/newcert.pem | |
| endif | |
| .SUFFIXES: .pem .crt .p12 | |
| .PHONY: careq cacert req cert verify revoke clean | |
| help: | |
| @echo "careq - Create certificate request of CA." | |
| @echo "cacert - Sign certificate request of CA." | |
| @echo "req - Create certificate request." | |
| @echo "cert - Sign specified certificate request." | |
| @echo "verify - Verify specified certificate." | |
| @echo "revoke - Revoke specified certificate." | |
| @echo "crl - Generate CRL." | |
| .pem.crt: | |
| $(X509) -in $< -out $@ | |
| .pem.p12: | |
| $(OPENSSL) pkcs12 -export -clcerts -in $< -inkey $(CERT_KEY_FILE) -out $@ | |
| ## Creating new CA | |
| $(CATOP): | |
| mkdir -m 755 $(CATOP) | |
| mkdir -m 755 $(CATOP)/certs | |
| mkdir -m 755 $(CATOP)/crl | |
| mkdir -m 755 $(CATOP)/newcerts | |
| mkdir -m 700 $(CATOP)/private | |
| echo "00" > $(CATOP)/serial | |
| touch $(CATOP)/index.txt | |
| careq: $(CATOP) | |
| $(MAKE) $(CA_CERT_REQ_FILE) | |
| $(CA_CERT_REQ_FILE): $(CA_CERT_KEY_FILE) | |
| chmod 600 $(CA_CERT_REQ_FILE) | |
| $(CA_CERT_KEY_FILE): | |
| $(REQ) -new -keyout $(CA_CERT_KEY_FILE) \ | |
| -out $(CA_CERT_REQ_FILE) \ | |
| $(NULL) | |
| chmod 600 $(CA_CERT_KEY_FILE) | |
| cacert: careq | |
| $(MAKE) $(CA_CERT_FILE) | |
| $(CA_CERT_FILE): $(CA_CERT_REQ_FILE) | |
| $(CA) -out $(CA_CERT_FILE) $(CADAYS) -batch \ | |
| -keyfile $(CA_CERT_KEY_FILE) -selfsign \ | |
| -extensions v3_ca \ | |
| -infiles $(CA_CERT_REQ_FILE) \ | |
| $(NULL) | |
| chmod 644 $(CA_CERT_FILE) | |
| req: $(CATOP) | |
| test -d ./certificate_requests || mkdir -m 700 ./certificate_requests | |
| test -d ./private || mkdir -m 710 ./private | |
| test -d ./public || mkdir -m 755 ./public | |
| $(MAKE) $(CERT_REQ_FILE) | |
| $(CERT_REQ_FILE): $(CERT_KEY_FILE) | |
| chmod 600 $(CERT_REQ_FILE) | |
| $(CERT_KEY_FILE): | |
| $(REQ) -new -keyout $(CERT_KEY_FILE) -out $(CERT_REQ_FILE) $(DAYS) | |
| chmod 600 $(CERT_KEY_FILE) | |
| cert: req | |
| $(MAKE) $(CERT_FILE) | |
| @echo -ne '\033[1;32m' | |
| @echo -n 'Certificate is in $(CERT_FILE).' | |
| @echo -ne '\033[0m\n' | |
| $(CERT_FILE): $(CERT_REQ_FILE) | |
| $(CA) -policy policy_anything -out $(CERT_FILE) -infiles $(CERT_REQ_FILE) | |
| chmod 644 $(CERT_FILE) | |
| verify: $(CERT_FILE) | |
| $(VERIFY) -CAfile $(CA_CERT_FILE) $(CERT_FILE) | |
| revoke: $(CERT_FILE) | |
| $(CA) -revoke $(CERT_FILE) | |
| $(MAKE) crl | |
| crl: | |
| $(MAKE) $(CRL_FILE) | |
| ln -sf $(CRL_FILE) $(CRL_LINK) | |
| @echo -ne '\033[1;32m' | |
| @echo -n 'CRL is in $(CRL_FILE).' | |
| @echo -ne '\033[0m\n' | |
| $(CRL_FILE): $(CATOP)/crlnumber | |
| $(CA) -gencrl -out $(CRL_FILE) | |
| chmod 644 $(CRL_FILE) | |
| $(CATOP)/crlnumber: | |
| echo 01 > $@ | |
| clean: | |
| $(RM) \ | |
| $(CERT_REQ_FILE) \ | |
| $(CERT_KEY_FILE) \ | |
| $(CERT_FILE) \ | |
| $(NULL) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment