Skip to content

Instantly share code, notes, and snippets.

@variadico

variadico/ocsp-tls.sh

Last active April 28, 2021 02:47
Show Gist options
  • Save variadico/cd19835477648ba16444ffc692eaee24 to your computer and use it in GitHub Desktop.
Save variadico/cd19835477648ba16444ffc692eaee24 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ocsp-tls.sh
#!/usr/bin/env bash
set -exuo pipefail
# Create a private key for a CA.
# genrsa :: create an RSA private key
# -out :: the output filename
# 4096 :: size of the private key
openssl genrsa -out ca-key.pem 4096
# Create a self-signed certificate for a CA.
# req :: create and process certificate requests (and self-signed)
# -x509 :: creates a self-signed certificate, instead of certificate request
# -key :: a private key in PEM
# -out :: the output filename
# -config :: config to use instead of OS config
openssl req -x509 -key ca-key.pem -out ca-cert.pem \
-config <(echo "
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
string_mask = utf8only
utf8 = yes
[ req_distinguished_name ]
C = US
ST = California
L = San Francisco
O = Example CA
OU = IT
CN = ca.example
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
")
# Create a private key for an end-user.
# genrsa :: create an RSA private key
# -out :: the output filename
# 4096 :: size of the private key
openssl genrsa -out user-key.pem 4096
# Create a certificate (signing) request.
# req :: create and process certificate requests (and self-signed)
# -new :: create a certificate request
# -key :: a private key in PEM
# -out :: the output filename
# -config :: config to use instead of OS config
openssl req -new -key user-key.pem -out user-csr.pem \
-config <(echo "
[ req ]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
string_mask = utf8only
utf8 = yes
[ req_distinguished_name ]
C = US
ST = California
L = San Francisco
O = Example Widgets Ltd
OU = IT
CN = localhost
[ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = localhost
DNS.2 = example.localhost
")
# Create files and directories we're going to reference when the CA signs the
# certificate request from above.
mkdir --parents ./demoCA/newcerts
rm -f demoCA/index.txt
touch demoCA/index.txt
echo "01" > demoCA/serial
# ca :: signs certificate requests, also maintains status database
# -keyfile :: CA's private key
# -cert :: CA's certificate
# -infiles :: the certificate (signing) request
# -batch :: enable non-interactive mode
# -out :: the end-user certificate
# -config :: config to use instead of OS config (FLAG ORDER MATTERS)
openssl ca -batch -keyfile ca-key.pem -cert ca-cert.pem \
-config <(echo "
[ ca ]
default_ca = ca_default
[ ca_default ]
dir = ./demoCA
database = ./demoCA/index.txt
new_certs_dir = ./demoCA/newcerts
serial = ./demoCA/serial
default_md = default
policy = policy_anything
x509_extensions = ext_ca
default_days = 90
copy_extensions = copy
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ ext_ca ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
authorityInfoAccess = OCSP;URI:http://127.0.0.1:8888
tlsfeature = status_request
") \
-out user-cert.pem -infiles user-csr.pem
echo "OK"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment