Create your own Certificate Authority in less than 10 minutes
This allows you to create a Certificate Authority otherwise known as a CA so you can sign your own certificates. This script has two requirements. A *nix machine with /bin/sh, /bin/bash or a compatible shell, and openssl from the OpenSSL project. You can start the timer now…
I’ve written a script to greatly simplify and automate the processes of both creating the Certificate Authority, and creating Certificates. The script has two basic functions:
- Create a Certificate Authority
- Create keys, certificates, and certificate signing requests, and sign them using the Certificate Authority
Directions for Use
To get this all setup in running, you just need to create a directory, create two files, and execute one of them. Edit the openssl.cnf with your favorite text editor (vim, emacs, nano, pico, ed, joe, whatever), put in your info and then run CAAdmin.sh to get started
From here open a terminal to get started
Create a working directory (copy and paste this block of code into your terminal)
mkdir Certificate_Authority_Admin
cd Certificate_Authority_Admin
Create openssl.cnf (copy and paste this block of code into your terminal)
cat << EoF > openssl.cnf
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = "CA"
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/public/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 730
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = ToddSmith, Org
organizationalUnitName_default = Secure Services
countryName_default = US
localityName_default = Los Angeles
emailAddress_default = ca@toddsmith.org
stateOrProvinceName_default = California
commonName_default = toddsmith.org
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
EoF
Create the CAAdmin Script (copy and paste this block of code into your terminal)
cat << EoF > CAAdmin.sh
#!/bin/bash
cadir=CA
conf="openssl.cnf"
cwd=`pwd`
echo -n "Do you want to create a Certificate Authority? [yes or no] : " && read answer
if [ "X$answer" == "Xyes" ] ; then
mkdir -p CA
cd CA
mkdir public crl newcerts private
echo 01 > serial
cp /dev/null index.txt
if [ ! -f ../openssl.cnf ] ; then
echo "Must setup an openssl.cnf"
exit 1
fi
openssl req -new -x509 -keyout private/cakey.pem -out public/cacert.pem -days 365 -config ../openssl.cnf
cd $cwd
fi
echo -n "Do you want to create a certificate for an SSL enabled server? [yes or no] : " && read answer
[ $answer == "yes" ] || exit 1
echo -n "What is the name of this cert / key? (certfilename) : " && read certfile
if [ $certfile != "" ] ; then
unset answer
openssl req -new -nodes -out req.pem -config $conf && \
mv key.pem "${certfile}.key.pem" && \
mv req.pem "${certfile}.req.pem" && \
openssl req -in "${certfile}.req.pem" -text -verify -noout && \
echo -n "Does information look correct? [yes or no] : " && read answer
if [ $answer == "yes" ] ; then
unset answer
openssl ca -out "${certfile}.crt.pem" -config "$conf" -infiles "${certfile}.req.pem"
fi
echo -n "Do you want to strip the certificate? [yes or no] : " && read answer
if [ $answer == "yes" ] ; then
unset answer
mv "${certfile}.crt.pem" "${certfile}.crt.tmp"
openssl x509 -in "${certfile}.crt.tmp" -out "${certfile}.crt.pem" && \
export key_stripped=1 && \
rm "${certfile}.crt.tmp"
fi
if [ $key_stripped == 1 ] ; then
echo -n "Do you want to create a combined cert/key file? [yes or no] : " && read answer
if [ $answer == "yes" ] ; then
unset answer;
cat ${certfile}.crt.pem ${certfile}.key.pem > ${certfile}.crtkey.pem
fi
fi
fi
EoF
Edit the openssl.cnf with your favorite editor to customize it for you.
Now I’m gonna run you through the script one time and you can see how simple it is.
tsmith@tejinashi:~/Certificate_Authority_Admin$ ls
CAAdmin.sh openssl.cnf
tsmith@tejinashi:~/Certificate_Authority_Admin$ sh CAAdmin.sh
Do you want to create a Certificate Authority? [yes or no] : yes
Generating a 1024 bit RSA private key
....................++++++
.++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Organization Name (company) [ToddSmith, Org]:
Organizational Unit Name (department, division) [Secure Services]:
Email Address [ca@toddsmith.org]:
Locality Name (city, district) [Los Angeles]:
State or Province Name (full name) [California]:
Country Name (2 letter code) [US]:
Common Name (hostname, IP, or your name) [toddsmith.org]:
Do you want to create a certificate for an SSL enabled server? [yes or no] : yes
What is the name of this cert / key? [certfile] : mail.toddsmith.org
Generating a 1024 bit RSA private key
..............................++++++
............................................++++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Organization Name (company) [ToddSmith, Org]:
Organizational Unit Name (department, division) [Secure Services]:
Email Address [ca@toddsmith.org]:
Locality Name (city, district) [Los Angeles]:
State or Province Name (full name) [California]:
Country Name (2 letter code) [US]:
Common Name (hostname, IP, or your name) [toddsmith.org]:mail.toddsmith.org
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: O=ToddSmith, Org, OU=Secure Services/emailAddress=ca@toddsmith.org, L=Los Angeles, ST=California, C=US, CN=mail.toddsmith.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d1:be:57:f7:e1:35:5b:01:fb:0d:20:06:23:dc:
44:f7:89:0e:f7:f6:71:5f:17:91:58:01:99:2f:75:
00:0d:e1:d7:0b:35:c1:90:e8:f9:56:a5:82:7b:a1:
97:79:b1:5b:7e:70:fd:cd:e0:95:5d:d1:f4:38:4d:
3f:00:fe:8a:a0:9a:66:2a:3c:45:27:e0:b1:98:3d:
40:2b:03:3c:5e:95:e1:48:79:a9:03:65:78:19:9b:
e9:39:06:6f:d6:ad:6f:12:55:dd:18:45:76:50:fd:
40:9a:60:7e:53:fb:67:0d:1b:1e:7f:e6:70:0d:ab:
2b:4c:45:5e:0e:df:c9:3f:5d
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
56:61:49:B0:F8:DA:58:9E:4A:14:EF:3B:61:D4:74:AF:B6:AF:3A:ED
Signature Algorithm: md5WithRSAEncryption
b5:8d:6f:16:87:1f:cb:78:16:03:9f:95:cf:4b:8d:b8:81:c0:
a9:e4:a0:de:c1:72:b0:3c:c8:2f:26:5e:ff:af:24:de:68:76:
e9:d0:f3:36:6d:d6:ea:40:27:19:33:91:ec:89:42:7b:ac:18:
82:59:bf:c3:22:83:77:79:19:a1:05:92:6f:43:be:17:0d:c0:
e8:f5:f6:a0:fe:1b:05:ab:fd:56:b8:3a:3b:81:d0:e3:c4:60:
14:db:2f:de:27:a7:da:bc:72:10:e7:de:77:16:18:5e:30:81:
d2:c6:1e:bf:96:f6:23:42:c2:0a:2e:3e:15:ff:bf:82:be:9d:
0d:16
Does information look correct? [yes or no] : yes
Using configuration from openssl.cnf
Enter pass phrase for CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
organizationName 
RINTABLE:'ToddSmith, Org'
organizationalUnitName:PRINTABLE:'Secure Services'
localityName RINTABLE:'Los Angeles'
stateOrProvinceName RINTABLE:'California'
countryName RINTABLE:'US'
commonName RINTABLE:'mail.toddsmith.org'
Certificate is to be certified until Apr 2 01:42:45 2011 GMT (730 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Do you want to strip the certificate? [yes or no] : yes
Do you want to create a combined cert/key file? [yes or no] : yes
tsmith@tejinashi:~/Certificate_Authority_Admin$ ls -1
CA
CAAdmin.sh
mail.toddsmith.org.crt.pem
mail.toddsmith.org.crtkey.pem
mail.toddsmith.org.key.pem
mail.toddsmith.org.req.pem
openssl.cnf
tsmith@tejinashi:~/Certificate_Authority_Admin$
There you have it. If you want to create another key, run it again. From this point forward you will probably want to answer “no” when the script asks if you want to create a new Certificate Authority. I have not tested it.
I hope that you found this useful.