-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path03-create-root-ca.sh
More file actions
135 lines (96 loc) · 2.69 KB
/
03-create-root-ca.sh
File metadata and controls
135 lines (96 loc) · 2.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
#!/bin/bash
#
# OpenSSL Certificate Authority
#
# See: https://jamielinux.com/docs/openssl-certificate-authority/index.html
#
###################################
# Create the directory structure
###################################
clear
mkdir ca
cd ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
touch index.txt.attr
openssl rand -hex 16 > serial
cp ../_cfg/openssl_root.cnf openssl.cnf
mkdir intermediate
cd intermediate
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
touch index.txt.attr
cp ../../_cfg/openssl_intermediate.cnf openssl.cnf
cd ../..
###################################
# Create the root pair
###################################
cd ca
#
# Create the root key
#
echo ""
echo "*** Create the root key and root certificate ***"
echo ""
openssl ecparam -genkey -name secp384r1 -out private/ca.key.pem
chmod 400 private/ca.key.pem
#
# Create the root certificate
#
openssl req -config openssl.cnf \
-key private/ca.key.pem \
-new -x509 -days 7305 -sha256 -extensions v3_ca \
-out certs/ca.cert.pem
chmod 444 certs/ca.cert.pem
#
# Verify the root certificate
#
echo ""
echo "*** Verify the root certificate ***"
echo ""
openssl x509 -noout -text -in certs/ca.cert.pem
echo ""
read -p"Verify the root certificate and press any key to continue..."
clear
###################################
# Create the intermediate pair
###################################
#
# Create the intermediate key
#
echo ""
echo "*** Create the intermediate key and intermediate certificate ***"
echo ""
openssl ecparam -genkey -name prime256v1 -out intermediate/private/intermediate.key.pem
chmod 400 intermediate/private/intermediate.key.pem
#
# Create the intermediate certificate
#
openssl req -config intermediate/openssl.cnf -new -sha256 \
-key intermediate/private/intermediate.key.pem \
-out intermediate/csr/intermediate.csr.pem
openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
-days 3653 -notext -md sha256 \
-in intermediate/csr/intermediate.csr.pem \
-out intermediate/certs/intermediate.cert.pem
chmod 444 intermediate/certs/intermediate.cert.pem
#
# Verify the intermediate certificate
#
echo ""
echo "*** Verify the intermediate certificate ***"
echo ""
openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem
openssl verify -CAfile certs/ca.cert.pem intermediate/certs/intermediate.cert.pem
echo ""
read -p"Verify the intermediate certificate and press any key to continue..."
clear
#
# Create the certificate chain file
#
cat intermediate/certs/intermediate.cert.pem \
certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 444 intermediate/certs/ca-chain.cert.pem
#*** EOF ***