GithubHelp home page GithubHelp logo

ivoshm / certificate-authority Goto Github PK

View Code? Open in Web Editor NEW

This project forked from ordenull/certificate-authority

0.0 1.0 0.0 21 KB

A tool for creating and managing a functioning intranet certificate authority

License: Apache License 2.0

Shell 100.00%

certificate-authority's Introduction

certificate-authority

Overview

A tool for creating and managing a functioning intranet certificate authority. Designed to live in a small encrypted file container.

Usage

Use the data/globals.sh-sample as a template to create data/globals.sh :

# Private Key Length
BITS=2048

# Nickname will be the CN of the certificate
NICKNAME="Widgets Incorporated Root CA"

# Organization or company name
ORGANIZATION="Widgets Incorporated"

# Country code
COUNTRY="US"

# CA certificate URL (optional, comment out if not used)
CRT_URL="pki.widgets.com/root.crt"

# Certificate revocation list URL (optional, comment out if not used)
CRL_URL="pki.widgets.com/root.crl"

Generate CA key, certificate and other data :

./authority-generate.sh

The '/media/crypt/data/private/random_seed' is missing, making a new one
Generating an openssl configuration file in /media/crypt/data/generated.cnf
Generating a 2048 bit private RSA key
Generating a self signed certificate with for Widgets Incorporated Root CA
The CA serial number tracker is missing, a new one will be generated.
The CA revocation number tracker is missing, a new one will be generated.
The CA index is missing, a new one will be generated.
All done, you can now distribute '/media/crypt/data/Widgets Incorporated Root CA.crt' to your users

Generate a certificate for one of your servers :

./request-generate.sh ilo.example.com
Generating a 2048 bit private key
Generating a certificate signing request
Generated CSR with the filename '/media/crypt/data/ilo.example.com/ilo.example.com.csr'
If you now wish to sign it, use:
No aliases:          ./request-sign.sh ilo.example.com
Web server alias:    ./request-sign.sh ilo.example.com www.ilo.example.com
Wildcard:            ./request-sign.sh ilo.example.com *.ilo.example.com

Sign the request with the certificate authority :

./request-sign.sh ilo.example.com *.ilo.example.com
Generating a /media/crypt/data/conf/usr_cert.cnf openssl config file
Including DNS alias: *.ilo.example.com
Generating an openssl configuration file in /media/crypt/data/generated.cnf
Using configuration from /media/crypt/data/generated.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 223195403517952 (0xcafebabe0000)
        Validity
            Not Before: Sep 14 21:14:08 2013 GMT
            Not After : Sep 14 21:14:08 2014 GMT
        Subject:
            countryName               = US
            organizationName          = Widgets Incorporated
            commonName                = ilo.example.com
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:ilo.example.com, DNS:*.ilo.example.com
            Authority Information Access: 
                CA Issuers - URI:pki.widgets.com/root.crt

            X509v3 Subject Key Identifier: 
                C7:4A:A1:EB:D1:43:56:28:DB:EA:DF:DC:AA:90:97:33:23:73:7B:70
            X509v3 Authority Key Identifier: 
                keyid:0F:B1:D0:2E:A5:52:F8:FE:75:32:B2:9F:AE:33:A1:4C:6B:37:3B:A2

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:pki.widgets.com/root.crl

            X509v3 Basic Constraints: 
                CA:FALSE
Certificate is to be certified until Sep 14 21:14:08 2014 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
Signed a certificate with the filename '/media/crypt/data/ilo.example.com/ilo.example.com.crt'

Tips

Keep your private keys, private. Save them on encrypted storage such as TrueCrypt or keep them on a machine that's isolated from the network with resonable physical security.

##Copyright and License

Copyright (C) 2013 Stan Borbat

Stan Borbat can be contacted at: [email protected]

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

History

  • 2017-11-20 ... -im- ... support for DNS and IP aliases in CSR - simple add aliases as parameters to request-generate.sh
  • 2017-08-10 ... -im- ... support for IP aliases - start alias parameter with IP: prefix
  • 2013-09-04 ... -on- ... initial

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.