https://tech.uvoo.io/index.php?action=history&feed=atom&title=Openssl_ca_using_config_file 2026-04-24T17:47:30Z Revision history for this page on the wiki MediaWiki 1.35.2 https://tech.uvoo.io/index.php?title=Openssl_ca_using_config_file&diff=5264&oldid=prev 2024-05-21T14:16:10Z

<p>Busk moved page <a href="/index.php?title=Openssl_ca_2&amp;action=edit&amp;redlink=1" class="new" title="Openssl ca 2 (page does not exist)">Openssl ca 2</a> to <a href="/index.php/Openssl_ca_using_config_file" title="Openssl ca using config file">Openssl ca using config file</a> without leaving a redirect </p> <table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface"> <tr class="diff-title" lang="en"> <td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td> <td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 14:16, 21 May 2024</td> </tr><tr><td colspan="2" class="diff-notice" lang="en"><div class="mw-diff-empty">(No difference)</div> </td></tr></table>

Busk https://tech.uvoo.io/index.php?title=Openssl_ca_using_config_file&diff=5263&oldid=prev 2024-05-21T14:15:49Z

<p>Created page with &quot;# Openssl ca with config file ## .env.secret ``` set -a ROOTCA1_PWD=ChangeMe ICA1a_PWD=ChangeThis ``` ## source ``` . .env.secret ``` ## init.sh.tpl ``` #!/bin/bash set -eu...&quot;</p> <p><b>New page</b></p><div># Openssl ca with config file<br /> <br /> ## .env.secret<br /> ```<br /> set -a<br /> ROOTCA1_PWD=ChangeMe<br /> ICA1a_PWD=ChangeThis<br /> ```<br /> <br /> ## source<br /> ```<br /> . .env.secret<br /> ```<br /> <br /> ## init.sh.tpl<br /> ```<br /> #!/bin/bash<br /> set -eu<br /> # . .env.secrets<br /> <br /> cd ${PWD}<br /> openssl rand -writerand .rnd<br /> OPENSSL_CA_DIR=&quot;openssl_ca&quot;<br /> mkdir -p ${OPENSSL_CA_DIR}<br /> mkdir -p ${OPENSSL_CA_DIR}/certs<br /> mkdir -p ${OPENSSL_CA_DIR}/crl<br /> mkdir -p ${OPENSSL_CA_DIR}/private<br /> if [ ! -e ${OPENSSL_CA_DIR}/serial ]; then<br /> echo 0100 &gt; ${OPENSSL_CA_DIR}/serial<br /> fi<br /> if [ ! -e ${OPENSSL_CA_DIR}/index ]; then<br /> touch ${OPENSSL_CA_DIR}/index<br /> fi<br /> <br /> # cat &lt;&lt; 'EOF' &gt; ${OPENSSL_CA_DIR}/openssl.cnf<br /> # cat &lt;&lt; 'EOF' &gt; /home/busk/openssl_ca/openssl.cnf<br /> cat &lt;&lt; 'EOF' &gt; ./openssl_ca/openssl.cnf<br /> HOME = .<br /> RANDFILE = $ENV::HOME/.rnd<br /> <br /> [ ca ]<br /> default_ca = CA_default<br /> <br /> [ CA_default ]<br /> # dir = /opt/openssl_ca<br /> dir = /home/busk/sandbox/ca/openssl_ca<br /> crl_dir = $dir/crl<br /> database = $dir/index<br /> new_certs_dir = $dir/certs<br /> serial = $dir/serial<br /> # certificate = $dir/issuer.crt<br /> certificate = $dir/RootCA1.crt<br /> private_key = $dir/RootCA1.key<br /> # certificate = $dir/ICA1a.crt<br /> # private_key = $dir/ICA1a.key<br /> # private_key = $dir/private/issuer.key<br /> # private_key = $dir/private/ICA1a.key<br /> policy = policy_match<br /> default_days = 365 # 1 year<br /> default_crl_days = 7 # 7 days<br /> default_md = sha1<br /> default_bits = 2048<br /> preserve = no<br /> unique_subject = no<br /> x509_extensions = v3_req<br /> copy_extensions = copy # to enable SubjectAltName<br /> <br /> [ policy_match ]<br /> countryName = optional<br /> stateOrProvinceName = optional<br /> localityName = optional<br /> organizationName = supplied<br /> organizationalUnitName = optional<br /> commonName = optional<br /> <br /> [ req ]<br /> distinguished_name = req_distinguished_name<br /> <br /> [ req_distinguished_name ]<br /> countryName = Country (2 letter code)<br /> countryName_min = 2<br /> countryName_max = 2<br /> stateOrProvinceName = State or Province (spelled out)<br /> localityName = City or Locality<br /> organizationName = Organization<br /> organizationalUnitName = Organizational Unit<br /> commonName = Common Name (FQDN)<br /> commonName_max = 64<br /> <br /> [ v3_req ]<br /> basicConstraints = CA:FALSE<br /> subjectKeyIdentifier = hash<br /> authorityKeyIdentifier = keyid,issuer<br /> keyUsage = digitalSignature,keyEncipherment<br /> extendedKeyUsage = serverAuth,clientAuth<br /> crlDistributionPoints = URI:http://pki.foo.example/issuer.crl<br /> <br /> [ v3_ca ]<br /> basicConstraints = CA:TRUE<br /> subjectKeyIdentifier = hash<br /> authorityKeyIdentifier = keyid:always,issuer:always<br /> keyUsage = cRLSign,keyCertSign<br /> <br /> [ v3_intermediate_ca ]<br /> basicConstraints = CA:TRUE<br /> subjectKeyIdentifier = hash<br /> authorityKeyIdentifier = keyid:always,issuer:always<br /> keyUsage = cRLSign,keyCertSign<br /> EOF<br /> <br /> cd ${OPENSSL_CA_DIR}<br /> <br /> # RootCA1<br /> openssl genrsa -passout env:ROOTCA1_PWD -aes256 -out RootCA1.key 4096<br /> openssl req -passin env:ROOTCA1_PWD -config openssl.cnf \<br /> -extensions v3_ca \<br /> -key RootCA1.key \<br /> -new -x509 -days 3653 -sha256 -extensions v3_ca \<br /> -out RootCA1.crt -subj &quot;/C=US/ST=Utah/L=SLC/O=ExampleCorp/OU=Testing/CN=RootCA1&quot;<br /> openssl x509 -noout -text -in RootCA1.crt<br /> <br /> <br /> # IntermediateCA ICA1a<br /> openssl genrsa -passout env:ICA1a_PWD -aes256 -out ICA1a.key 4096<br /> openssl req -passin env:ICA1a_PWD -config openssl.cnf \<br /> -new -sha256 \<br /> -key ICA1a.key \<br /> -out ICA1a.csr -subj &quot;/C=US/ST=Utah/L=SLC/O=ExampleCorp/OU=Testing/CN=ICA1a&quot;<br /> yes | openssl ca -passin env:ROOTCA1_PWD -config openssl.cnf \<br /> -extensions v3_intermediate_ca \<br /> -days 1826 -notext -md sha256 \<br /> -in ICA1a.csr \<br /> -out ICA1a.crt<br /> openssl x509 -text -in ICA1a.crt<br /> openssl x509 -text -in certs/0100.pem<br /> <br /> echo &quot;Completed successfully!&quot;<br /> cd ../<br /> ```<br /> <br /> <br /> ## main.sh<br /> ```<br /> #!/bin/bash<br /> set -aeu<br /> . .env.secrets<br /> export START_DIR=$(pwd)<br /> envtpl --keep-template init.sh.tpl<br /> bash -eu init.sh<br /> ```<br /> <br /> ## run main.sh<br /> ```<br /> ./main.sh<br /> ```</div>

Busk