add createca.sh and rootreq.conf

2011-05-03 21:01:18 +02:00 · 2011-05-03 21:01:18 +02:00 · fe0e526dd3
commit fe0e526dd3
parent 4df618e834
3 changed files with 102 additions and 0 deletions
--- a/5
+++ b/5
@ -3,3 +3,8 @@ This directory contains various OpenSSL configuration examples and scripts.
 Configuration files:

 - rootca.conf    - Example root CA configuration
+- rootreq.conf   - Example signing request configuration
+
+Scripts:
+
+- createca.sh    - Script for creating a CA
--- a/createca.sh
+++ b/createca.sh
@ -0,0 +1,40 @@
+#!/bin/sh
+
+set -e
+
+usage() {
+  echo "Usage: $1 <cabasedir> <reqconf> <caconf>"
+  exit 1
+}
+
+if [ $# -lt 3 ]; then
+  usage $0
+fi
+
+if [ ! -f "$2" ]; then
+  echo "$2 is no file."
+  usage $0
+fi
+REQCONF="$2"
+
+if [ ! -f "$3" ]; then
+  echo "$2 is no file."
+  usage $0
+fi
+CACONF="$3"
+
+if [ -d "$1" ]; then
+  echo "$1 does already exist. Please specify a new directory."
+  usage $0
+fi
+CADIR="$1"
+
+mkdir -p "${CADIR}/certs"
+mkdir -p "${CADIR}/crl"
+mkdir -p "${CADIR}/newcerts"
+mkdir -p "${CADIR}/private"
+
+openssl req -new -x509 -config "${REQCONF}" -out "${CADIR}/ca.crt.pem" -keyout "${CADIR}/private/ca.key.pem"
+
+echo "01" > "${CADIR}/serial"
+touch "${CADIR}/index.txt"
--- a/rootreq.conf
+++ b/rootreq.conf
@ -0,0 +1,57 @@
+# Request configuration for CA certificate
+#
+# Author: Jan Dittberner <jan@dittberner.info>
+# Date:   2011-05-03
+
+RANDFILE		= $ENV::HOME/ca/.rnd
+
+extensions		= v3_ext 
+
+[ req ]
+default_bits		= 2048
+distinguished_name	= req_distinguished_name
+x509_extensions	        = v3_ca_ext
+
+# This sets a mask for permitted string types. There are several options. 
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+string_mask = nombstr
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= DE
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Saxony
+
+localityName			= Locality Name (eg, city)
+localityName_default            = Example Town
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Example Organization
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= Example Lab
+
+commonName			= Common Name (eg, YOUR name)
+commonName_max			= 64
+commonName_default              = Example Lab Root CA
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+emailAddress_default            = rootca@example.org
+
+[ v3_ca_ext ]
+basicConstraints       = critical, CA:true, pathlen:1
+keyUsage               = critical, keyCertSign,cRLSign
+nsComment              = "Example Labs Root Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier = keyid:always,issuer:always
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName         = email:copy
+authorityInfoAccess    = OCSP;URI:http://ocsp.rootca.example.org/
+crlDistributionPoints  = URI:http://rootca.example.org/rootca.crl