Last active
September 21, 2023 07:50
-
-
Save mark-kubacki/c758ce1c2b8222afd69d to your computer and use it in GitHub Desktop.
Revisions
-
mark-kubacki revised this gist
Feb 14, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -44,7 +44,7 @@ function create_CA() { # @param1 path to the certificate to be issued, without the ext; # $1.csr will be used as 'signing request' function issue_cert() { local random_serial=$(tr -dc '0-9' < /dev/urandom | head -c 8 || true) ## Your in-house CA would use: ## openssl ca -sha384 -config … -name … -extensions … -
Jan 29, 2015 . 1 changed file with 7 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,19 +2,23 @@ # for example, a HTTPS server basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage = serverAuth [ for_a_client ] # passwordless signing in for clients using browsers, # or sending (and receiving) S/MIME encrypted emails basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = digitalSignature, keyEncipherment, keyAgreement, nonRepudiation, dataEncipherment extendedKeyUsage = clientAuth, emailProtection, msSmartcardLogin [ for_a_node ] # for example, two nodes communicating with each other basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage = serverAuth, clientAuth -
Jan 29, 2015 . 2 changed files with 6 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -33,8 +33,8 @@ function makecsr() { # Uses ${CApath} and ${CAsubj}. function create_CA() { makecsr "${CApath}" "${CAsubj}" # We issue ourselves a self-signed cert for the CA # without any key constraints or extended usages (,=all permitted): openssl req -new -x509 -sha384 -set_serial 1 -days 3 \ -key "${CApath}.key" -subj "${CAsubj}" -out "${CApath}.crt" } @@ -50,7 +50,7 @@ function issue_cert() { ## openssl ca -sha384 -config … -name … -extensions … openssl x509 -req -sha384 -set_serial ${random_serial} -days 1 \ -CAkey "${CApath}.key" -CA "${CApath}.crt" \ -extfile "extensions.cnf" -extensions "for_a_node" \ -in "${1}.csr" -out "${1}.crt" } This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,18 +1,18 @@ [ for_a_server ] # for example, a HTTPS server basicConstraints = CA:FALSE subjectKeyIdentifier = hash keyUsage = digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage = serverAuth [ for_a_client ] # passwordless signing in for clients using browsers basicConstraints = CA:FALSE subjectKeyIdentifier = hash keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement extendedKeyUsage = clientAuth [ for_a_node ] # for example, two nodes communicating with each other basicConstraints = CA:FALSE subjectKeyIdentifier = hash -
Jan 29, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,69 @@ #!/bin/bash # # Copyright (c) 2015 W. Mark Kubacki <[email protected]> # Licensed under the terms of the RPL 1.5 for all usages # http://www.opensource.org/licenses/rpl1.5 # set -e -o pipefail CAsubj="/C=DE/ST=Niedersachsen/L=Hannover/O=Dummy CA/CN=Sign-It-All" CApath="dummy/CA" ClientSubj="/C=DE/O=Dummy Corp/CN=" # the CN value gets appended ClientPath="dummy/" # the last /* will be stripped mkdir "${CApath%/*}" # Makes up a CSR and generates an unique key. # # @param1 path without ext, will create files $1.{key,csr} # @param2 string to be used as 'subj' for a CSR function makecsr() { umask 0177 openssl ecparam -genkey -name prime256v1 -out "${1}.key" umask 0022 # CSR, in case you want to submit it to any known CA # see: openssl req -in web.csr -noout -text openssl req -new -nodes -sha384 \ -key "${1}.key" -subj "${2}" -out "${1}.csr" } # Creates a dummy CA. # Uses ${CApath} and ${CAsubj}. function create_CA() { makecsr "${CApath}" "${CAsubj}" # We issues ourselves a self-signed cert for the CA # without any key constraints or extended usages (=all): openssl req -new -x509 -sha384 -set_serial 1 -days 3 \ -key "${CApath}.key" -subj "${CAsubj}" -out "${CApath}.crt" } # Signs a CSR. Uses ${CApath}.* as CA. # # @param1 path to the certificate to be issued, without the ext; # $1.csr will be used as 'signing request' function issue_cert() { local random_serial=$(tr -dc '0-9' < /dev/urandom | fold -w 8 | head -n 1 || true) ## Your in-house CA would use: ## openssl ca -sha384 -config … -name … -extensions … openssl x509 -req -sha384 -set_serial ${random_serial} -days 1 \ -CAkey "${CApath}.key" -CA "${CApath}.crt" \ -extfile "extensions.cnf" -extensions "v3_node" \ -in "${1}.csr" -out "${1}.crt" } # create a dummy CA… create_CA # … and certificates for nodes {A,B,C} for handle in "node-A" "node-B" "node-C"; do makecsr "${ClientPath%/*}/${handle}" "${ClientSubj}${handle}" issue_cert "${ClientPath%/*}/${handle}" # view it by: openssl x509 -noout -text -in …/….crt done # fin echo DONE This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,20 @@ [ v3_server ] # for example, a HTTPS server basicConstraints = CA:FALSE subjectKeyIdentifier = hash keyUsage = digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage = serverAuth [ v3_client ] # passwordless signing in for clients using browsers basicConstraints = CA:FALSE subjectKeyIdentifier = hash keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement extendedKeyUsage = clientAuth [ v3_node ] # for example, two nodes communicating with each other basicConstraints = CA:FALSE subjectKeyIdentifier = hash keyUsage = digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage = serverAuth, clientAuth