Skip to main content

PKI

Setup

Put openssl.conf:

openssl.conf 
distinguished_name  = $ENV::DN
x509_extensions     = $ENV::EXTENSIONS

string_mask = nombstr                         # This sets a mask for permitted string types
prompt      = no                              # Don't ask questions

default_bits      = 20484096      # Key length to use (due to req bug this is also specified in cmd line)
default_md        = sha256    # The message digest to use

[ ca ]
default_ca    = CA_default    # The default ca section

[ CA_default ]
database      = index.txt     # The text database file to use. Mandatory. This file must be present though initially it will be empty
serial        = serial        # A text file containing the next serial number to use in hex

unique_subject  = no          # If the value no is given, several valid certificate entries may have the exact same subject
email_in_dn     = no          # If you want the EMAIL field to be removed from the DN of the certificate simply set this to 'no'
preserve        = no          # keep passed DN ordering
name_opt        = ca_default  # Subject name display option
cert_opt        = ca_default  # Certificate display option

policy          = ca_policy   # Policy section

[ ca_policy ]
countryName             = supplied
stateOrProvinceName     = supplied
localityName            = supplied
organizationName        = supplied
organizationalUnitName  = supplied
commonName              = supplied

[ ca_extensions ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always
basicConstraints        = CA:true
keyUsage                = cRLSign, keyCertSign
nameConstraints			    = critical,permitted;DNS:.hexadust.net

[ cert_extensions ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
basicConstraints        = CA:FALSE
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, 1.3.6.1.5.5.8.2.2
subjectAltName          = DNS:$ENV::FQDN
nsCertType              = server
nsComment               = "JPSHxD Internal Certificate"

[ ca_dn ]
countryName             = IE
stateOrProvinceName     = Dublin
localityName            = Dublin
0.organizationName      = JPHexa SoftwareDust
organizationalUnitName  = Ops
commonName              = "JPSHxD Internal Certification Authority"

[ cert_dn ]
countryName             = IE
stateOrProvinceName     = Dublin
localityName            = Dublin
0.organizationName      = hexadust.net
organizationalUnitName  = Ops
commonName              = $ENV::FQDN

Create certs dir:

mkdir certs

Certificate request (unencrypted key)

mkreq 
#!/bin/sh

export FQDN="$1"
export DN=cert_dn
export EXTENSIONS=cert_extensions

openssl req \
	-days 7120 \
	-nodes \
	-new -newkey rsa:2048rsa \
	-keyout "certs/$FQDN.key" -out "certs/$FQDN.csr" \
	-config openssl.conf

Self-signed certificate request (unencrypted key)

mkself 
#!/bin/sh

export FQDN="$1"
export DN=cert_dn
export EXTENSIONS=cert_extensions

openssl req -x509 \
	-days 7120 \
	-nodes \
	-new -newkey rsa \
	-keyout "certs/$FQDN.key" -out "certs/$FQDN.pem" \
	-config openssl.conf

 

Back to top