Skip to content

Instantly share code, notes, and snippets.

@mathershifter

mathershifter/eapi_ca_certs.md

Last active June 12, 2019 18:26
Show Gist options
  • Save mathershifter/121bc75fa43a1f481e37d5a73afbc5ce to your computer and use it in GitHub Desktop.
Save mathershifter/121bc75fa43a1f481e37d5a73afbc5ce to your computer and use it in GitHub Desktop.
Download ZIP
eAPI CA certs
Raw
eapi_ca_certs.md

CA Root

cd /root/ca
openssl genrsa -out private/ca.key.pem 4096
chmod 400 private/ca.key.pem

openssl req -config openssl.cnf \
      -key private/ca.key.pem \
      -new -x509 -days 7300 -sha256 -extensions v3_ca \
      -out certs/ca.cert.pem

Intermediate CA

cd /root/ca
openssl genrsa -out intermediate/private/intermediate.key.pem 4096

openssl req -config intermediate/openssl.cnf -new -sha256 \
    -key intermediate/private/intermediate.key.pem \
    -out intermediate/csr/intermediate.csr.pem

openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
    -days 3650 -notext -md sha256 \
    -in intermediate/csr/intermediate.csr.pem \
    -out intermediate/certs/intermediate.cert.pem

Chain

cat certs/ca.cert.pem intermediate/certs/intermediate.cert.pem \
  intermediate/certs/ca-chain.cert.pem

chmod 444 intermediate/certs/ca-chain.cert.pem

Server

cd /root/ca
openssl genrsa -out intermediate/private/veos.lab.lan.key.pem 2048

openssl req -new -sha256 -days 375 \
  -key intermediate/private/veos.lab.lan.key.pem \
  -out intermediate/csr/veos.lab.lan.csr.pem \
  -subj '/C=US/ST=Washington/L=Seattle/O=MSFT Lab/CN=veos.lab.lan' \
  -reqexts SAN \
  -extensions SAN \
  -config <(cat intermediate/openssl.cnf \
    <(printf '[SAN]\nsubjectAltName=DNS:*.lab.lan'))

openssl ca -config intermediate/openssl.cnf \
  -extensions server_cert -days 375 -notext -md sha256 \
  -in intermediate/csr/veos.lab.lan.csr.pem \
  -out intermediate/certs/veos.lab.lan.cert.pem

Client

cd /root/ca
openssl genrsa -out intermediate/private/[email protected] 2048

openssl req -new -sha256 -days 375 \
  -key intermediate/private/[email protected] \
  -out intermediate/csr/[email protected] \
  -subj '/CN=admin'

openssl ca -config intermediate/openssl.cnf \
  -extensions usr_cert -days 375 -notext -md sha256 \
  -in intermediate/csr/[email protected] \
  -out intermediate/certs/[email protected]

openssl genrsa -out intermediate/private/[email protected] 2048

openssl req -new -sha256 -days 375 \
  -key intermediate/private/[email protected] \
  -out intermediate/csr/[email protected] \
  -subj '/CN=bob'

openssl ca -config intermediate/openssl.cnf \
  -extensions usr_cert -days 375 -notext -md sha256 \
  -in intermediate/csr/[email protected] \
  -out intermediate/certs/[email protected]

CRL

Generate

openssl ca -config openssl.cnf \
  -gencrl -out crl/ca.crl.pem

openssl ca -config intermediate/openssl.cnf \
  -gencrl -out intermediate/crl/intermediate.crl.pem

verify

openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text

deploy

$ scp intermediate/crl/intermediate.crl.pem  \
  [email protected]:/mnt/flash
$ ssh veos1
veos1#copy flash:intermediate.crl.pem certificate:

revoke

openssl ca -config intermediate/openssl.cnf \
  -revoke intermediate/certs/[email protected]

openssl ca -config intermediate/openssl.cnf \
  -gencrl -out intermediate/crl/intermediate.crl.pem

re-deploy

$ scp intermediate/crl/intermediate.crl.pem  \
  [email protected]:/mnt/flash
$ ssh veos1
veos1#copy flash:intermediate.crl.pem certificate:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment