View Single Post
  #2  
Old 29th April 2009, 11:34
tebokkel tebokkel is offline
Member
 
Join Date: Feb 2007
Location: The Netherlands
Posts: 96
Thanks: 0
Thanked 9 Times in 9 Posts
Default

I use this for self-signed certificates.
Alternative: get identified by CACert and get certificates there.

(not: accidently I used cacert as name for my own CA, it's the CA certificate after all.. )

Code:
pizza CA # ls -l
total 64
-r-------- 1 root root 1513 Jul 29  2007 cacert.pem
-rw-r--r-- 1 root root 2800 Dec 13 13:50 cert.pem
-rw-r--r-- 1 root root  239 Dec 13 13:50 index.txt
-rw-r--r-- 1 root root   20 Dec 13 13:50 index.txt.attr
-rw-r--r-- 1 root root   21 Jul 29  2007 index.txt.attr.old
-rw-r--r-- 1 root root  117 Jul 29  2007 index.txt.old
-rwxr-xr-x 1 root root  237 Jul 29  2007 makeCSR.sh
drwxr-xr-x 2 root root 4096 Dec 13 13:50 newcerts
-rw-r--r-- 1 root root 2075 Jul 29  2007 openssl.cnf
dr-x------ 2 root root 4096 Nov 13 16:32 private
drwxr-xr-x 2 root root 4096 Dec 13 13:50 public
-rwxr-xr-x 1 root root  358 Jul 29  2007 renew.sh
drwxr-xr-x 2 root root 4096 Nov 13 16:32 requests
-rw-r--r-- 1 root root    3 Dec 13 13:50 serial
-rw-r--r-- 1 root root    3 Jul 29  2007 serial.old
-rwxr-xr-x 1 root root  426 Jul 29  2007 signCSR.sh

pizza CA # cat openssl.cnf 
# 
# OpenSSL configuration file. 
#
#
# Establish working directory. 
dir = . 

[ ca ] 
default_ca = CA_default 

[ CA_default ] 
serial = $dir/serial 
database = $dir/index.txt 
new_certs_dir = $dir/newcerts 
certificate = $dir/cacert.pem 
private_key = $dir/private/cakey.pem 
default_days = 365 
default_md = md5 
preserve = no 
email_in_dn = no 
nameopt = default_ca 
certopt = default_ca 
policy = policy_match 

[ policy_match ] 
countryName = match 
stateOrProvinceName = match 
organizationName = match 
organizationalUnitName = optional 
commonName = supplied 
emailAddress = optional 

[ req ] 
default_bits = 1024 # Size of keys 
default_keyfile = key.pem # name of generated keys 
default_md = md5 # message digest algorithm 
string_mask = nombstr # permitted characters 
distinguished_name = req_distinguished_name 

[ req_distinguished_name ] 
# Variable name   Prompt string 
#----------------------   ---------------------------------- 
0.organizationName = Organization Name (company) 
organizationalUnitName = Organizational Unit Name (department, division) 
emailAddress = Email Address 
emailAddress_max = 40 
localityName = Locality Name (city, district) 
stateOrProvinceName = State or Province Name (full name) 
countryName = Country Name (2 letter code) 
countryName_min = 2 
countryName_max = 2 
commonName = Common Name (hostname, IP, or your name) 
commonName_max = 64 

# Default values for the above, for consistency and less typing. 
# Variable name   Value 
#------------------------------   ------------------------------ 
0.organizationName_default = Ingenieursbureau Te Bokkel
organizationalUnitName_default = System Administration
localityName_default = Apeldoorn
stateOrProvinceName_default = Gelderland
countryName_default = NL
emailAddress_default = hostmaster@tebokkel.com

[ v3_ca ] 
basicConstraints = CA:TRUE 
subjectKeyIdentifier = hash 
authorityKeyIdentifier = keyid:always,issuer:always 

[ v3_req ] 
basicConstraints = CA:FALSE 
subjectKeyIdentifier = hash 
distinguished_name = req_distinguished_name 
req_extensions = v3_req 


pizza CA # cat makeCSR.sh 
#!/bin/sh
# see http://www.debian-administration.org/articles/284

if [ "$1" -a -z "$2" ]; then
        openssl req -new -nodes -keyout private/$1.key -out requests/$1.csr -config ./openssl.cnf
else
        echo "Usage: $0 host.domain.tld"
        exit 1
fi


pizza CA # cat signCSR.sh 
#!/bin/sh
# see http://www.debian-administration.org/articles/284

if [ "$1" -a -r "requests/$1.csr" ]; then
        openssl ca -out cert.pem -config ./openssl.cnf -infiles requests/$1.csr
        if [ $? -eq 0 ]; then
                openssl x509 -in cert.pem -out public/$1.crt.pem 
                echo "Succesfull! Please take private/$1.key.pem and public/$1.crt.pem"
        fi
else
        echo "Usage: $0 host.domain.tld"
        echo "(CSR should exist in requests directory)"
fi


pizza CA # cat renew.sh 
#!/bin/sh

if [ "$1" -a -r "public/$1.crt.pem" ]; then
        openssl ca -revoke public/$1.crt.pem -config ./openssl.cnf
        if [ $? -eq 0 ]; then
                echo
                echo "Revoked, now signing a new certificate!"
                echo
                ./signCSR.sh $@
        else
                echo "Revocation failed. Aborting.."
                exit 1
        fi
else
        echo "Usage: $0 host.domain.tld for which a certificate exists"
        exit 1
fi
pizza CA #
Reply With Quote