diff options
author | Jakob Odersky <jodersky@gmail.com> | 2015-04-22 15:06:49 +0200 |
---|---|---|
committer | Jakob Odersky <jodersky@gmail.com> | 2015-04-22 15:24:00 +0200 |
commit | f79ee0e3999dfd04af306aced213f20b7f8e0904 (patch) | |
tree | ff9be23960cce44544a90bee37124d0cdcd2f60d /ssl | |
download | security-f79ee0e3999dfd04af306aced213f20b7f8e0904.tar.gz security-f79ee0e3999dfd04af306aced213f20b7f8e0904.tar.bz2 security-f79ee0e3999dfd04af306aced213f20b7f8e0904.zip |
initial commit
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/manual-procedure.txt | 25 | ||||
-rw-r--r-- | ssl/uca/README.md | 11 | ||||
-rwxr-xr-x | ssl/uca/uca | 78 |
3 files changed, 114 insertions, 0 deletions
diff --git a/ssl/manual-procedure.txt b/ssl/manual-procedure.txt new file mode 100644 index 0000000..a0d0c55 --- /dev/null +++ b/ssl/manual-procedure.txt @@ -0,0 +1,25 @@ +Root certificate +================ + +1) generate private key +openssl genpkey -algorithm RSA -out root.key.pem -pkeyopt rsa_keygen_bits:4096 -aes-256-cbc + +2) create root certificate signing request +openssl req -new -key root.key.pem -out root.req.pem + +3) self-sign root certificate request +openssl x509 -req -in root.req.pem -extfile openssl.cnf -extensions v3_ca -days 3650 -signkey root.key.pem -out root.cert.pem + + +Server certificate +================== + +1) generate private key, same procedure as root + +2) create certificate signing request +openssl req -new -key server.key.pem -out server.req.pem + +3) sign certificate +openssl x509 -req -in server.req.pem -extfile openssl.cnf -extensions v3_usr -CA root.cert.pem -CAkey root.key.pem -CAcreateserial + + diff --git a/ssl/uca/README.md b/ssl/uca/README.md new file mode 100644 index 0000000..ac6fceb --- /dev/null +++ b/ssl/uca/README.md @@ -0,0 +1,11 @@ +# uca - The Microscopic Certificate Authority +Uca (mu-c-a) is a tiny wrapper script around OpenSSL for managing certificates. + +## Usage +1. Setup a new authority: creates a new root certificate and serial counter. + ```./uca setup``` + +2. Issue a new certificate: create a new certificate and sign it with the root certificate. + ```./uca issue <name>``` + +Run `uca` without any options for help.
\ No newline at end of file diff --git a/ssl/uca/uca b/ssl/uca/uca new file mode 100755 index 0000000..625f684 --- /dev/null +++ b/ssl/uca/uca @@ -0,0 +1,78 @@ +#!/bin/bash -e + +# configuration variables (change at will) +CONFIG="/etc/ssl/openssl.cnf" +CERT_SUFFIX=".cert.pem" +KEY_SUFFIX=".key.pem" +REQ_SUFFIX=".req.pem" + +# global variables set through parameters +CA=${CA:-root} +CA_CERT="${CA}${CERT_SUFFIX}" +CA_KEY="${CA}${KEY_SUFFIX}" +CA_SERIAL="${CA}.srl" + +# print usage +print_usage() { + cat <<- EOF + uca - a certificate authority of micro complexity + + uca setup + uca issue cert + + Environment Variables: + CA name of certificate authority +EOF +} + +# generate new certificate authority +new_ca() { + local ca_req="${CA}${REQ_SUFFIX}" + + openssl genpkey -algorithm RSA -out "$CA_KEY" -pkeyopt rsa_keygen_bits:4096 #-aes-256-cbc + openssl req -new -key "$CA_KEY" -out "$ca_req" + openssl x509 -req -in "$ca_req" -extfile "$CONFIG" -extensions v3_ca -days 3650 -signkey "$CA_KEY" -out "$CA_CERT" + + echo "01" > "$CA_SERIAL" + + rm -f "$reqfile" +} + +# issue new certificate +# $1 name of new certificate +issue() { + local keyfile="${1}${KEY_SUFFIX}" + local reqfile="${1}${REQ_SUFFIX}" + local certfile="${1}${CERT_SUFFIX}" + + echo $certfile + + openssl genpkey -algorithm RSA -out "$keyfile" -pkeyopt rsa_keygen_bits:4096 + openssl req -new -key "$keyfile" -out "$reqfile" + openssl x509 -req -in "$reqfile" -extfile "$CONFIG" -extensions usr_cert -CA "$CA_CERT" -CAkey "$CA_KEY" -CAserial "$CA_SERIAL" -out "$certfile" + + rm -f "$reqfile" +} + + +case "$1" in + setup) + new_ca + exit 0 + ;; + + issue) + if [ -e "$CA_CERT" ] && [ -e "$CA_KEY" ]; then + echo $2 + issue $2 + exit 0 + else + echo "no root certificate and key found" + exit 1 + fi + ;; + + *) + print_usage + exit 0 +esac
\ No newline at end of file |