Improve example CA setup

The example CA now has more realistic 2 levels with a root CA and a sub CA.

Setup script and ca.cnf has been changed to create a root CA and a sub CA
that is signed by the root CA. The sub CA is used for signing the end entity
certificates. Example CA directory has been changed to example_ca for better
readability.
This commit is contained in:
Jan Dittberner 2020-12-05 19:48:34 +01:00
parent 1f8c44689e
commit a960a60ecd
3 changed files with 115 additions and 23 deletions

2
.gitignore vendored
View file

@ -2,6 +2,6 @@
.*.swp .*.swp
/translate.*.toml /translate.*.toml
/.idea/ /.idea/
/exampleca/ /example_ca/
/node_modules/ /node_modules/
/public/ /public/

70
ca.cnf
View file

@ -3,22 +3,54 @@ extensions = v3_ext
[ca] [ca]
default_ca = EXAMPLECA default_ca = EXAMPLECA
[EXAMPLECA] [rootca]
dir = ./exampleca dir = ./example_ca/root
certs = $dir/certs certs = $dir/certs
crl_dir = $dir/crl crl_dir = $dir/crl
database = $dir/index.txt database = $dir/index.txt
new_certs_dir = $dir/newcerts
serial = $dir/serial serial = $dir/serial
new_certs_dir = $dir/newcerts
crl = $dir/crl.pem crl = $dir/crl.pem
certificate = $dir/ca.crt.pem certificate = $dir/ca.crt.pem
private_key = $dir/private/ca.key.pem
RANDFILE = $dir/private/.rand
policy = policy_any
unique_subject = no
email_in_dn = no
copy_extensions = none
default_md = sha256
default_days = 1825
default_crl_days = 30
[EXAMPLECA]
dir = ./example_ca/sub
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
serial = $dir/serial serial = $dir/serial
new_certs_dir = $dir/newcerts
crl = $dir/crl.pem crl = $dir/crl.pem
certificate = $dir/ca.crt.pem
private_key = $dir/private/ca.key.pem private_key = $dir/private/ca.key.pem
RANDFILE = $dir/private/.rand RANDFILE = $dir/private/.rand
unique_subject = no unique_subject = no
email_in_dn = no email_in_dn = no
default_md = sha256 default_md = sha256
default_days = 365
default_crl_days = 30
[policy_any]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[policy_match] [policy_match]
commonName = supplied commonName = supplied
@ -29,3 +61,35 @@ keyUsage = keyEncipherment,digitalSignature,nonRepudiation
extendedKeyUsage = clientAuth,emailProtection extendedKeyUsage = clientAuth,emailProtection
subjectKeyIdentifier = hash subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always authorityKeyIdentifier = keyid:always,issuer:always
[req]
default_bits = 3072
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = root_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CH
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
[req_attributes]
[root_ca]
basicConstraints = critical,CA:true,pathlen:1
subjectKeyIdentifier = hash
[sub_ca]
basicConstraints = critical,CA:true,pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

View file

@ -1,11 +1,39 @@
#!/bin/sh #!/bin/sh
if [ ! -d "exampleca" ]; then set -eu
mkdir -p exampleca/newcerts
touch exampleca/index.txt COUNTRY_CODE=CH
ORGANIZATION="Acme Ltd."
if [ ! -d "example_ca" ]; then
mkdir -p example_ca/root/newcerts example_ca/sub/newcerts
touch example_ca/root/index.txt example_ca/sub/index.txt
umask 077 umask 077
mkdir exampleca/private mkdir example_ca/root/private example_ca/sub/private
openssl req -new -x509 -keyout exampleca/private/ca.key.pem -out exampleca/ca.crt.pem -days 3650 \ openssl req -new -x509 \
-subj "/CN=Example CA" -nodes -newkey rsa:3072 -addext "basicConstraints=critical,CA:true,pathlen:0" -config ca.cnf \
chmod +r exampleca/ca.crt.pem -keyout example_ca/root/private/ca.key.pem \
-newkey rsa:3072 \
-nodes \
-subj "/CN=Example Root CA/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \
-utf8 \
-days 3650 \
-out example_ca/root/ca.crt.pem
chmod +r example_ca/root/ca.crt.pem
openssl req -new \
-config ca.cnf \
-keyout example_ca/sub/private/ca.key.pem \
-newkey rsa:3072 \
-nodes \
-subj "/CN=Example Sub CA/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \
-utf8 \
-out example_ca/sub/ca.csr.pem
openssl ca \
-config ca.cnf \
-name rootca \
-in example_ca/sub/ca.csr.pem \
-extensions sub_ca \
-out example_ca/sub/ca.crt.pem \
-create_serial \
-batch
fi fi