vikumar-ciena · October 16, 2021 13:48 · Oct 3, 2014 · Oct 3, 2014 · Oct 3, 2014 · Oct 3, 2014
diff --git a/cl.cnf b/cl.cnf
@@ -45,6 +45,7 @@ default_keyfile 	= priv/client.key
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions		= usr_cert
+default_md		= sha256
 
 input_password = <password>
 output_password = <password>

diff --git a/im.cnf b/im.cnf
@@ -44,7 +44,8 @@ default_bits		= 2048
 default_keyfile 	= priv/intermediate.key
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions		= v3_ca	
+x509_extensions		= v3_ca
+default_md		= sha256
 
 input_password = <password>
 output_password = <password>

diff --git a/cl.cnf b/cl.cnf
@@ -88,5 +88,5 @@ authorityKeyIdentifier=keyid,issuer
 # subjectAltName = @alt_names
 
 [ alt_names ]
-DNS.1 = domain.com
-IP.1 = 10.0.0.1
+DNS.1 = <domain>
+IP.1 = <ip>
diff --git a/ca.cnf b/ca.cnf
@@ -47,8 +47,8 @@ attributes		= req_attributes
 x509_extensions		= v3_ca
 default_md		= sha256
 
-input_password = ABC@123
-output_password = ABC@123
+input_password = <password>
+output_password = <password>
 
 string_mask = utf8only
 

diff --git a/cl.cnf b/cl.cnf
@@ -46,8 +46,8 @@ distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions		= usr_cert
 
-input_password = ABC@123
-output_password = ABC@123
+input_password = <password>
+output_password = <password>
 
 string_mask = utf8only
 

diff --git a/im.cnf b/im.cnf
@@ -46,8 +46,8 @@ distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions		= v3_ca	
 
-input_password = ABC@123
-output_password = ABC@123
+input_password = <password>
+output_password = <password>
 
 string_mask = utf8only
 

diff --git a/genchain → genchain.sh b/genchain → genchain.sh
diff --git a/ca.cnf b/ca.cnf
@@ -0,0 +1,81 @@
+HOME			= .
+RANDFILE		= .rnd
+
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+[ CA_default ]
+dir		= .			# Where everything is kept
+certs		= $dir/cert		# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.db		# database index file.
+unique_subject	= yes			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir			# default place for new certs.
+
+certificate	= $certs/ca.crt		# The CA certificate
+serial		= $dir/serial		# The current serial number
+private_key	= $dir/priv/ca.key	# The private key
+RANDFILE	= $dir/.rnd		# private random number file
+
+x509_extensions	= v3_ca			# The extentions to add to the cert
+copy_extensions	= copy
+
+name_opt	= ca_default		# Subject Name options
+cert_opt	= ca_default		# Certificate field options
+
+default_days	= 7300			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+policy		= policy_match
+
+[ policy_match ]
+countryName		= supplied
+stateOrProvinceName	= optional
+organizationName	= supplied
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ req ]
+default_bits		= 4096
+default_keyfile 	= priv/ca.key
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions		= v3_ca
+default_md		= sha256
+
+input_password = ABC@123
+output_password = ABC@123
+
+string_mask = utf8only
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= US
+countryName_min			= 2
+countryName_max			= 2
+
+0.organizationName		= Organization Name
+0.organizationName_default	= Corporation
+
+commonName			= Common Name
+commonName_default		= Global CA Root
+commonName_max			= 64
+
+[ req_attributes ]
+challengePassword		= Password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+[ v3_ca ]
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement,keyCertSign, cRLSign
+extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = CA:true
+nsCertType = sslCA, emailCA
diff --git a/cl.cnf b/cl.cnf
@@ -0,0 +1,92 @@
+HOME			= .
+RANDFILE		= .rnd
+
+[ ca ]
+default_ca	= CA_default			# The default ca section
+
+[ CA_default ]
+dir		= .				# Where everything is kept
+certs		= $dir/cert			# Where the issued certs are kept
+crl_dir		= $dir				# Where the issued crl are kept
+database	= $dir/index.db			# database index file.
+unique_subject	= no				# Set to 'no' to allow creation of
+						# several ctificates with same subject.
+new_certs_dir	= $dir/cert			# default place for new certs.
+
+certificate	= $certs/intermediate.crt	# The CA certificate
+serial		= $dir/serial 			# The current serial number
+private_key	= $dir/priv/intermediate.key	# The private key
+RANDFILE	= .rnd				# private random number file
+
+x509_extensions	= usr_cert			# The extentions to add to the cert
+copy_extensions = copy
+
+name_opt 	= ca_default			# Subject Name options
+cert_opt 	= ca_default			# Certificate field options
+
+default_days	= 365				# how long to certify for
+default_crl_days= 30				# how long before next CRL
+default_md	= sha256			# use public key default MD
+preserve	= no				# keep passed DN ordering
+
+policy		= policy_match
+
+[ policy_match ]
+countryName		= optional
+stateOrProvinceName	= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ req ]
+default_bits		= 2048
+default_keyfile 	= priv/client.key
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions		= usr_cert
+
+input_password = ABC@123
+output_password = ABC@123
+
+string_mask = utf8only
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= US
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= CA
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Los Angeles
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Corporation
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+
+commonName			= Common Name
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+[ req_attributes ]
+challengePassword		= Password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+[ usr_cert ]
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+# subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = domain.com
+IP.1 = 10.0.0.1
diff --git a/genchain b/genchain
@@ -0,0 +1,127 @@
+#!/bin/bash
+#
+# Small wizard to create a chain of trust using openssl
+# including one root certificat, an intermediate certificate
+# and multiple clien certificates. The openssl config is done
+# using the separate files.
+
+# Constants
+CONFCA=ca.cnf
+CONFIM=im.cnf
+CONFCL=cl.cnf
+
+# Check for config
+test -f $CONFCA || exit 0
+test -f $CONFIM || exit 0
+test -f $CONFCL || exit 0
+
+if ! type "openssl" > /dev/null; then
+    echo "OpenSSL in not installed"
+    exit 0
+fi
+
+# Create directories
+test -d cert || mkdir cert
+test -d priv || mkdir priv
+test -d req || mkdir req
+
+touch index.db
+
+LANG=C
+export LANG
+
+ask() {
+    while true; do
+
+        if [ "${2:-}" = "Y" ]; then
+            prompt="Y/n"
+            default=Y
+        elif [ "${2:-}" = "N" ]; then
+            prompt="y/N"
+            default=N
+        else
+            prompt="y/n"
+            default=
+        fi
+
+        # Ask the question
+        read -p "$1 [$prompt] " REPLY
+
+        # Default?
+        if [ -z "$REPLY" ]; then
+            REPLY=$default
+        fi
+
+        # Check if the reply is valid
+        case "$REPLY" in
+            Y*|y*) return 0 ;;
+            N*|n*) return 1 ;;
+        esac
+
+    done
+}
+
+# Create CA
+ca () {
+    openssl req -new -config $CONFCA -nodes -out req/ca.csr
+    openssl ca -create_serial -selfsign -in req/ca.csr -out cert/ca.crt -config $CONFCA
+    openssl verify -CAfile cert/ca.crt cert/ca.crt
+}
+
+# Create intermediate
+intermediate () {
+    if [ ! -f cert/ca.crt ] || [ ! -f priv/ca.key ]; then
+        echo "No CA root certificate present"
+        exit 0
+    fi
+    openssl req -new -config $CONFIM -nodes -out req/intermediate.csr
+    openssl ca -config $CONFIM -in req/intermediate.csr -out cert/intermediate.crt
+    openssl verify -CAfile cert/ca.crt cert/intermediate.crt
+    cat cert/intermediate.crt cert/ca.crt > cert/ca-bundle.crt
+}
+
+# Create client
+client () {
+    if [ ! -f cert/intermediate.crt ] || [ ! -f priv/intermediate.key ]; then
+        echo "No CA root intermediate present"
+        exit 0
+    fi
+    echo "To add DNS and/or IP change subjectAltName in $CONFCL file"
+    openssl req -new -config $CONFCL -nodes -out req/client.csr
+    openssl ca -config $CONFCL -in req/client.csr -out cert/client.crt
+    openssl verify -CAfile cert/ca-bundle.crt cert/client.crt
+
+    if ask "Export all formats?" Y; then
+        openssl x509 -in cert/client.crt -out cert/client.der -outform DER
+        openssl pkcs12 -export -out cert/client.p12 -in cert/client.crt -inkey priv/client.key -chain -CAfile cert/ca-bundle.crt
+        openssl crl2pkcs7 -nocrl -certfile cert/client.crt -out cert/client.p7b -certfile cert/ca-bundle.crt
+    fi
+}
+
+# Cleanup
+if [ "$1" == "clean" ]; then
+    rm -rf cert priv req index.* .rnd serial* *.pem
+    exit 0
+fi
+
+# Help
+if [ "$1" == "help" ]; then
+    echo "Usage: genchain <clean>" >&2
+    exit 0
+fi
+
+if ask "Create CA root?" Y; then
+    ca
+fi
+
+if ask "Create intermediate?" Y; then
+    intermediate
+fi
+
+if ask "Create client?" Y; then
+    client
+fi
+
+echo "All certificates are create in cert/"
+
+exit 0
diff --git a/im.cnf b/im.cnf
@@ -0,0 +1,79 @@
+HOME			= .
+RANDFILE		= .rnd
+
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+[ CA_default ]
+dir		= .			# Where everything is kept
+certs		= $dir/cert		# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.db		# database index file.
+unique_subject	= yes			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/cert		# default place for new certs.
+
+certificate	= $certs/ca.crt		# The CA certificate
+serial		= $dir/serial 		# The current serial number
+private_key	= $dir/priv/ca.key	# The private key
+RANDFILE	= $dir/.rnd		# private random number file
+
+x509_extensions	= v3_ca			# The extentions to add to the cert
+copy_extensions = copy
+
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+policy		= policy_match
+
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= optional
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ req ]
+default_bits		= 2048
+default_keyfile 	= priv/intermediate.key
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions		= v3_ca	
+
+input_password = ABC@123
+output_password = ABC@123
+
+string_mask = utf8only
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= US
+countryName_min			= 2
+countryName_max			= 2
+
+0.organizationName		= Organization Name
+0.organizationName_default	= Corporation
+
+commonName			= Common Name
+commonName_default		= External CA G2
+commonName_max			= 64
+
+[ req_attributes ]
+challengePassword		= Password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = CA:true, pathlen:0
+keyUsage = cRLSign, keyCertSign
+
+nsCertType = sslCA, emailCA