Created
February 13, 2013 08:35
-
-
Save igalic/4943106 to your computer and use it in GitHub Desktop.
Makefile to create a root-ca, an intermediate signing CA.
It can also be used to quickly create keys and Certificates and sign them with that intermediate CA. You should put the root-ca into your Trust Store (preferably as the only CA;) and make sure your programs validate it correctly.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root_DN = /CN=Esotericsystems Root Authority/C=AT/ | |
| issuing_DN = /CN=Esotericsystems Issuing Authority/C=AT/ | |
| passphrase: | |
| echo -n changeme > $@ | |
| # | |
| # Create param files, keys and Self-Signed Certificate for the Root CA | |
| # | |
| root-ca-dsa.param: passphrase | |
| openssl genpkey -genparam -algorithm DSA -out $@ -pkeyopt dsa_paramgen_bits:2048 | |
| root-ca-dsa_enc.key: root-ca-dsa.param | |
| openssl genpkey -paramfile root-ca-dsa.param -camellia-256-ecb -pass file:passphrase -out $@ | |
| root-ca-dsa.key: root-ca-dsa.param passphrase | |
| openssl genpkey -paramfile root-ca-dsa.param -out $@ | |
| root-ca: root-ca-dsa_enc.key | |
| openssl req -batch -new -x509 -days 13650 -key root-ca-dsa_enc.key -passin file:passphrase -subj "$(root_DN)" -utf8 -extensions v3_ca -out [email protected] | |
| # | |
| # Create param files, keys and Certificate Request for Issuing CA | |
| # | |
| issuing-ca-dsa.param: passphrase | |
| openssl genpkey -genparam -algorithm DSA -out $@ -pkeyopt dsa_paramgen_bits:2048 | |
| issuing-ca-dsa_enc.key: issuing-ca-dsa.param passphrase | |
| openssl genpkey -paramfile issuing-ca-dsa.param -camellia-256-ecb -pass file:passphrase -out $@ | |
| issuing-ca.csr: issuing-ca-dsa_enc.key | |
| openssl req -new -key issuing-ca-dsa_enc.key -passin file:passphrase -subj "$(issuing_DN)" -utf8 -out $@ | |
| # | |
| # Sign CSR with Root CA. | |
| # | |
| issuing-ca: issuing-ca.csr root-ca | |
| openssl x509 -req -in issuing-ca.csr -CA root-ca.pem -CAkey root-ca-dsa_enc.key -passin file:passphrase -CAcreateserial -extfile openssl.cnf -extensions v3_ca -days 1365 -out [email protected] | |
| # | |
| # Create an RSA key | |
| # Example: make create-rsa_enc.key KEY=blag.es.at.key | |
| # | |
| create-rsa_enc.key: passphrase | |
| openssl genpkey -algorithm RSA -camellia-256-ecb -pass file:passphrase -out $(KEY) -pkeyopt rsa_keygen_bits:2048 | |
| create-rsa.key: | |
| openssl genpkey -algorithm RSA -out $(KEY) -pkeyopt rsa_keygen_bits:2048 | |
| # | |
| # Create a Certificate Signing request: | |
| # Example: make create-csr KEY=blag.es.at.key CSR=blag.es.at.csr DN='/CN=blag.es.at/C=AT/' | |
| # | |
| create-csr: | |
| openssl req -new -key "$(KEY)" -passin file:passphrase -out "$(CSR)" -subj "$(DN)" | |
| # | |
| # And finally, sign this certificate request: | |
| # Example: make sign-cert CSR=blag.es.at.csr PEM=blag.es.at.pem | |
| # | |
| sign-cert: | |
| openssl x509 -req -in "$(CSR)" -CA issuing-ca.pem -CAkey issuing-ca-dsa_enc.key -passin file:passphrase -CAcreateserial -extfile openssl.cnf -extensions usr_cert -days 1365 -out $(PEM) | |
| .PHONY: clean | |
| clean: | |
| rm -rf passphrase *.key *.csr *.param *.pem *.srl |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment