jenslohmann · June 19, 2018 09:53
diff --git a/certifcateGeneration b/certifcateGeneration
 This might be helpful when generating signed (not strictly self-signed) certificates for use in development on MacOSX.

 Testing (against server using the generated server cert):
 curl --trace - -3 --insecure --cert clientcert.p12:changeit --get https://localhost:443/

 Troubleshooting:
 - Check the keychain (Cmd-Space "Keychain Access") for old entries. Delete them :-)
 - "-3" avoids some MacOSX curl quirkiness.
 - "--insecure" seems to be necessary for MacOSX curl. If you find a way to use "--cacert cacert.pem" instead then tell me :-)
diff --git a/config_file b/config_file
 [ ca ]
 default_ca      = CA_default            # The default ca section

 [ CA_default ]

 dir            = .
 database       = $dir/index.txt        # index file.
 new_certs_dir  = $dir/newcerts         # new certs dir

 certificate    = $dir/cacert.pem       # The CA cert
 serial         = $dir/serial           # serial no file
 private_key    = $dir/private/cakey.pem# CA private key
 RANDFILE       = $dir/private/.rand    # random number file

 default_days   = 365                   # how long to certify for
 default_crl_days= 30                   # how long before next CRL
 default_md     = md5                   # md to use

 policy         = policy_any            # default policy
 email_in_dn    = no                    # Don't add the email into cert DN

 name_opt       = ca_default            # Subject name display option
 cert_opt       = ca_default            # Certificate display option
 x509_extensions = server_cert_extensions
 copy_extensions = copy

 [ server_cert_extensions ]
 basicConstraints = CA:FALSE
 nsCertType = server
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer:always
 issuerAltName = issuer:copy

 [ policy_anything ]
 countryName            = supplied
 stateOrProvinceName    = optional
 organizationName       = optional
 organizationalUnitName = optional
 commonName             = supplied
 emailAddress           = optional
diff --git a/do.sh b/do.sh
 #!/bin/bash -v
 # Generates the CA
 rm -rf private/* 2>/dev/null
 rm -rf newcerts/* 2>/dev/null
 mkdir private 2>/dev/null
 mkdir newcerts 2>/dev/null
 rm -f index.txt* 2>/dev/null
 rm -f serial*
 rm -f *.pem
 rm -f *.key
 rm -f *.req
 rm -f *.p12
 touch index.txt
 echo "01" > serial

 # Generates the signer's certificate
 openssl req -new -x509 -sha512 -newkey rsa:4096 -days 3650 -keyout private/cakey.pem -out cacert.pem -passout pass:changeit <<-EOCERT
 	DK
 	.
 	Copenhagen
 	http://somesite.dk/
 	.
 	Jens Lohmann CA
 	[email protected]
 EOCERT

 # Generates the request
 openssl req -new -sha512 -nodes -newkey rsa:2048 -days 1096\
        -keyout private/somesite.dk.key\
        -out somesite.dk.req\
        -passout pass:changeit\
        -reqexts SAN\
        -extensions SAN\
        -subj '/CN=somesite.dk/OU=Server Certificate/O=https:\/\/somesite.dk\//C=DK'\
        -config <(cat /System/Library/OpenSSL/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:somesite.dk'))

 # Signs the request
 openssl ca -verbose -md sha512 -config config_file -batch -policy policy_anything -days 1096 -out somesite.dk.pem -in somesite.dk.req -passin pass:changeit

 # Create the server p12 file
 openssl pkcs12 -export -in somesite.dk.pem -inkey private/somesite.dk.key -certfile cacert.pem -passout pass:changeit > somesite.dk.p12

 # Generate a client cert signing request
 openssl req -new -sha512 -nodes -newkey rsa:2048 -days 1096 -keyout private/client.key -out client.req -passout pass:changeit <<-EOCERT
 	DK
 	.
 	Copenhagen
 	http://www.somesite.dk/
 	Client Certificate
 	Jens Lohmann
 	[email protected]
 	.
 	.
 EOCERT

 # Signs the request
 openssl ca -verbose -md sha512 -config config_file -batch -policy policy_anything -days 1096 -out client.pem -in client.req -passin pass:changeit

 # Create the client p12 file
 openssl pkcs12 -export -in client.pem -inkey private/client.key -certfile cacert.pem -passout pass:changeit > clientcert.p12
	This might be helpful when generating signed (not strictly self-signed) certificates for use in development on MacOSX.

	Testing (against server using the generated server cert):
	curl --trace - -3 --insecure --cert clientcert.p12:changeit --get https://localhost:443/

	Troubleshooting:
	- Check the keychain (Cmd-Space "Keychain Access") for old entries. Delete them :-)
	- "-3" avoids some MacOSX curl quirkiness.
	- "--insecure" seems to be necessary for MacOSX curl. If you find a way to use "--cacert cacert.pem" instead then tell me :-)
	[ ca ]
	default_ca = CA_default # The default ca section

	[ CA_default ]

	dir = .
	database = $dir/index.txt # index file.
	new_certs_dir = $dir/newcerts # new certs dir

	certificate = $dir/cacert.pem # The CA cert
	serial = $dir/serial # serial no file
	private_key = $dir/private/cakey.pem# CA private key
	RANDFILE = $dir/private/.rand # random number file

	default_days = 365 # how long to certify for
	default_crl_days= 30 # how long before next CRL
	default_md = md5 # md to use

	policy = policy_any # default policy
	email_in_dn = no # Don't add the email into cert DN

	name_opt = ca_default # Subject name display option
	cert_opt = ca_default # Certificate display option
	x509_extensions = server_cert_extensions
	copy_extensions = copy

	[ server_cert_extensions ]
	basicConstraints = CA:FALSE
	nsCertType = server
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer:always
	issuerAltName = issuer:copy

	[ policy_anything ]
	countryName = supplied
	stateOrProvinceName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = supplied
	emailAddress = optional
	#!/bin/bash -v
	# Generates the CA
	rm -rf private/* 2>/dev/null
	rm -rf newcerts/* 2>/dev/null
	mkdir private 2>/dev/null
	mkdir newcerts 2>/dev/null
	rm -f index.txt* 2>/dev/null
	rm -f serial*
	rm -f *.pem
	rm -f *.key
	rm -f *.req
	rm -f *.p12
	touch index.txt
	echo "01" > serial

	# Generates the signer's certificate
	openssl req -new -x509 -sha512 -newkey rsa:4096 -days 3650 -keyout private/cakey.pem -out cacert.pem -passout pass:changeit <<-EOCERT
	DK
	.
	Copenhagen
	http://somesite.dk/
	.
	Jens Lohmann CA
	[email protected]
	EOCERT

	# Generates the request
	openssl req -new -sha512 -nodes -newkey rsa:2048 -days 1096\
	-keyout private/somesite.dk.key\
	-out somesite.dk.req\
	-passout pass:changeit\
	-reqexts SAN\
	-extensions SAN\
	-subj '/CN=somesite.dk/OU=Server Certificate/O=https:\/\/somesite.dk\//C=DK'\
	-config <(cat /System/Library/OpenSSL/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:somesite.dk'))

	# Signs the request
	openssl ca -verbose -md sha512 -config config_file -batch -policy policy_anything -days 1096 -out somesite.dk.pem -in somesite.dk.req -passin pass:changeit

	# Create the server p12 file
	openssl pkcs12 -export -in somesite.dk.pem -inkey private/somesite.dk.key -certfile cacert.pem -passout pass:changeit > somesite.dk.p12

	# Generate a client cert signing request
	openssl req -new -sha512 -nodes -newkey rsa:2048 -days 1096 -keyout private/client.key -out client.req -passout pass:changeit <<-EOCERT
	DK
	.
	Copenhagen
	http://www.somesite.dk/
	Client Certificate
	Jens Lohmann
	[email protected]
	.
	.
	EOCERT

	# Signs the request
	openssl ca -verbose -md sha512 -config config_file -batch -policy policy_anything -days 1096 -out client.pem -in client.req -passin pass:changeit

	# Create the client p12 file
	openssl pkcs12 -export -in client.pem -inkey private/client.key -certfile cacert.pem -passout pass:changeit > clientcert.p12