Improve example CA setup
The example CA now has more realistic 2 levels with a root CA and a sub CA. Setup script and ca.cnf has been changed to create a root CA and a sub CA that is signed by the root CA. The sub CA is used for signing the end entity certificates. Example CA directory has been changed to example_ca for better readability.
This commit is contained in:
parent
1f8c44689e
commit
a960a60ecd
3 changed files with 115 additions and 23 deletions
2
.gitignore
vendored
2
.gitignore
vendored
|
|
@ -2,6 +2,6 @@
|
|||
.*.swp
|
||||
/translate.*.toml
|
||||
/.idea/
|
||||
/exampleca/
|
||||
/example_ca/
|
||||
/node_modules/
|
||||
/public/
|
||||
|
|
|
|||
94
ca.cnf
94
ca.cnf
|
|
@ -3,22 +3,54 @@ extensions = v3_ext
|
|||
[ca]
|
||||
default_ca = EXAMPLECA
|
||||
|
||||
[rootca]
|
||||
dir = ./example_ca/root
|
||||
certs = $dir/certs
|
||||
crl_dir = $dir/crl
|
||||
database = $dir/index.txt
|
||||
serial = $dir/serial
|
||||
new_certs_dir = $dir/newcerts
|
||||
|
||||
crl = $dir/crl.pem
|
||||
certificate = $dir/ca.crt.pem
|
||||
private_key = $dir/private/ca.key.pem
|
||||
RANDFILE = $dir/private/.rand
|
||||
|
||||
policy = policy_any
|
||||
unique_subject = no
|
||||
email_in_dn = no
|
||||
copy_extensions = none
|
||||
|
||||
default_md = sha256
|
||||
default_days = 1825
|
||||
default_crl_days = 30
|
||||
|
||||
[EXAMPLECA]
|
||||
dir = ./exampleca
|
||||
certs = $dir/certs
|
||||
crl_dir = $dir/crl
|
||||
database = $dir/index.txt
|
||||
new_certs_dir = $dir/newcerts
|
||||
serial = $dir/serial
|
||||
crl = $dir/crl.pem
|
||||
certificate = $dir/ca.crt.pem
|
||||
serial = $dir/serial
|
||||
crl = $dir/crl.pem
|
||||
private_key = $dir/private/ca.key.pem
|
||||
RANDFILE = $dir/private/.rand
|
||||
unique_subject = no
|
||||
email_in_dn = no
|
||||
default_md = sha256
|
||||
dir = ./example_ca/sub
|
||||
certs = $dir/certs
|
||||
crl_dir = $dir/crl
|
||||
database = $dir/index.txt
|
||||
serial = $dir/serial
|
||||
new_certs_dir = $dir/newcerts
|
||||
|
||||
crl = $dir/crl.pem
|
||||
certificate = $dir/ca.crt.pem
|
||||
private_key = $dir/private/ca.key.pem
|
||||
RANDFILE = $dir/private/.rand
|
||||
unique_subject = no
|
||||
email_in_dn = no
|
||||
|
||||
default_md = sha256
|
||||
default_days = 365
|
||||
default_crl_days = 30
|
||||
|
||||
[policy_any]
|
||||
countryName = match
|
||||
stateOrProvinceName = optional
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
[policy_match]
|
||||
commonName = supplied
|
||||
|
|
@ -29,3 +61,35 @@ keyUsage = keyEncipherment,digitalSignature,nonRepudiation
|
|||
extendedKeyUsage = clientAuth,emailProtection
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer:always
|
||||
|
||||
[req]
|
||||
default_bits = 3072
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = root_ca
|
||||
|
||||
[req_distinguished_name]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = CH
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
|
||||
organizationName = Organization Name (eg, company)
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
|
||||
commonName = Common Name (e.g. server FQDN or YOUR name)
|
||||
commonName_max = 64
|
||||
|
||||
[req_attributes]
|
||||
|
||||
[root_ca]
|
||||
basicConstraints = critical,CA:true,pathlen:1
|
||||
subjectKeyIdentifier = hash
|
||||
|
||||
[sub_ca]
|
||||
basicConstraints = critical,CA:true,pathlen:0
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer:always
|
||||
|
|
@ -1,11 +1,39 @@
|
|||
#!/bin/sh
|
||||
|
||||
if [ ! -d "exampleca" ]; then
|
||||
mkdir -p exampleca/newcerts
|
||||
touch exampleca/index.txt
|
||||
set -eu
|
||||
|
||||
COUNTRY_CODE=CH
|
||||
ORGANIZATION="Acme Ltd."
|
||||
|
||||
if [ ! -d "example_ca" ]; then
|
||||
mkdir -p example_ca/root/newcerts example_ca/sub/newcerts
|
||||
touch example_ca/root/index.txt example_ca/sub/index.txt
|
||||
umask 077
|
||||
mkdir exampleca/private
|
||||
openssl req -new -x509 -keyout exampleca/private/ca.key.pem -out exampleca/ca.crt.pem -days 3650 \
|
||||
-subj "/CN=Example CA" -nodes -newkey rsa:3072 -addext "basicConstraints=critical,CA:true,pathlen:0"
|
||||
chmod +r exampleca/ca.crt.pem
|
||||
mkdir example_ca/root/private example_ca/sub/private
|
||||
openssl req -new -x509 \
|
||||
-config ca.cnf \
|
||||
-keyout example_ca/root/private/ca.key.pem \
|
||||
-newkey rsa:3072 \
|
||||
-nodes \
|
||||
-subj "/CN=Example Root CA/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \
|
||||
-utf8 \
|
||||
-days 3650 \
|
||||
-out example_ca/root/ca.crt.pem
|
||||
chmod +r example_ca/root/ca.crt.pem
|
||||
openssl req -new \
|
||||
-config ca.cnf \
|
||||
-keyout example_ca/sub/private/ca.key.pem \
|
||||
-newkey rsa:3072 \
|
||||
-nodes \
|
||||
-subj "/CN=Example Sub CA/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \
|
||||
-utf8 \
|
||||
-out example_ca/sub/ca.csr.pem
|
||||
openssl ca \
|
||||
-config ca.cnf \
|
||||
-name rootca \
|
||||
-in example_ca/sub/ca.csr.pem \
|
||||
-extensions sub_ca \
|
||||
-out example_ca/sub/ca.crt.pem \
|
||||
-create_serial \
|
||||
-batch
|
||||
fi
|
||||
Reference in a new issue