Browse Source

add certificate generation script + openssl configs

master
Christian Ulrich 2 years ago
parent
commit
1e290ac350
No known key found for this signature in database GPG Key ID: 8241BE099775A097
  1. 49
      certs/certificates.sh
  2. 13
      certs/openssl-client.cnf
  3. 13
      certs/openssl-server.cnf

49
certs/certificates.sh

@ -0,0 +1,49 @@
#!/bin/sh
# create CA keys and certificates
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -subj '/CN=localhost' -days 365 \
-addext "keyUsage = keyCertSign" \
-keyout server-ca.key -out server-ca.crt
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -subj '/CN=localhost' -days 365 \
-addext "keyUsage = keyCertSign" \
-keyout client-ca.key -out client-ca.crt
# create keys and CSRs
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -subj '/CN=localhost' \
-addext "subjectAltName = DNS:localhost" \
-addext "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" \
-keyout server-cert.key -out server-cert.csr
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -subj '/CN=localhost' \
-addext "subjectAltName = DNS:localhost" \
-addext "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" \
-keyout client-cert.key -out client-cert.csr
# sign certificate
openssl x509 -req -extensions v3_req --extfile openssl-server.cnf -CAcreateserial \
-days 1825 \
-CA server-ca.crt -CAkey server-ca.key \
-in server-cert.csr -out server-cert.crt
openssl x509 -req -extensions v3_req --extfile openssl-client.cnf -CAcreateserial \
-days 1825 \
-CA client-ca.crt -CAkey client-ca.key \
-in client-cert.csr -out client-cert.crt
cat server-cert.crt > server-certchain.pem
cat server-ca.crt >> server-certchain.pem
cat client-cert.crt > client-certchain.pem
cat client-ca.crt >> client-certchain.pem
## converte to pkcs8
#openssl pkcs8 -topk8 -nocrypt -in client-cert.key -out client-cert.key.pkcs8
#openssl pkcs8 -topk8 -nocrypt -in server-cert.key -out server-cert.key.pkcs8
## read certificate contents
#openssl x509 -text -noout -in client-cert.crt
#openssl x509 -text -noout -in server-cert.crt

13
certs/openssl-client.cnf

@ -0,0 +1,13 @@
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
CN = localhost
[v3_req]
keyUsage = keyEncipherment, dataEncipherment, digitalSignature
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost

13
certs/openssl-server.cnf

@ -0,0 +1,13 @@
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
CN = localhost
[v3_req]
keyUsage = keyEncipherment, dataEncipherment, digitalSignature
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
Loading…
Cancel
Save