diff --git a/README b/README index f03f259..6a2e766 100644 --- a/README +++ b/README @@ -3,3 +3,8 @@ This directory contains various OpenSSL configuration examples and scripts. Configuration files: - rootca.conf - Example root CA configuration +- rootreq.conf - Example signing request configuration + +Scripts: + +- createca.sh - Script for creating a CA diff --git a/createca.sh b/createca.sh new file mode 100644 index 0000000..72fa9e1 --- /dev/null +++ b/createca.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +usage() { + echo "Usage: $1 " + exit 1 +} + +if [ $# -lt 3 ]; then + usage $0 +fi + +if [ ! -f "$2" ]; then + echo "$2 is no file." + usage $0 +fi +REQCONF="$2" + +if [ ! -f "$3" ]; then + echo "$2 is no file." + usage $0 +fi +CACONF="$3" + +if [ -d "$1" ]; then + echo "$1 does already exist. Please specify a new directory." + usage $0 +fi +CADIR="$1" + +mkdir -p "${CADIR}/certs" +mkdir -p "${CADIR}/crl" +mkdir -p "${CADIR}/newcerts" +mkdir -p "${CADIR}/private" + +openssl req -new -x509 -config "${REQCONF}" -out "${CADIR}/ca.crt.pem" -keyout "${CADIR}/private/ca.key.pem" + +echo "01" > "${CADIR}/serial" +touch "${CADIR}/index.txt" diff --git a/rootreq.conf b/rootreq.conf new file mode 100644 index 0000000..7c11dfd --- /dev/null +++ b/rootreq.conf @@ -0,0 +1,57 @@ +# Request configuration for CA certificate +# +# Author: Jan Dittberner +# Date: 2011-05-03 + +RANDFILE = $ENV::HOME/ca/.rnd + +extensions = v3_ext + +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +x509_extensions = v3_ca_ext + +# This sets a mask for permitted string types. There are several options. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +string_mask = nombstr + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = DE +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Saxony + +localityName = Locality Name (eg, city) +localityName_default = Example Town + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Example Organization + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = Example Lab + +commonName = Common Name (eg, YOUR name) +commonName_max = 64 +commonName_default = Example Lab Root CA + +emailAddress = Email Address +emailAddress_max = 64 +emailAddress_default = rootca@example.org + +[ v3_ca_ext ] +basicConstraints = critical, CA:true, pathlen:1 +keyUsage = critical, keyCertSign,cRLSign +nsComment = "Example Labs Root Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier = keyid:always,issuer:always + +# Include email address in subject alt name: another PKIX recommendation +subjectAltName = email:copy +authorityInfoAccess = OCSP;URI:http://ocsp.rootca.example.org/ +crlDistributionPoints = URI:http://rootca.example.org/rootca.crl