flutter>> my-simple-bash-ca>> 返回
项目作者: arlotito

项目描述 :
A simple CA to experiment with self-signed root, intermediate and leaf x509 certificates using openssl and bash scripts.
高级语言: Shell
项目地址: git://github.com/arlotito/my-simple-bash-ca.git
创建时间: 2021-06-17T13:32:38Z
项目社区:https://github.com/arlotito/my-simple-bash-ca
开源协议:
下载


A bunch of bash scripts implementing a minimal Certification Authority (CA).

Useful for easily and quickly creating self-signed root, intermediate and leaf (client/server) x509 certificates.

For testing purposes only!

picture 1

getting started

Optionally clear the CA folder:

  1. sudo rm -rf /root/ca

Grab the scripts:

  1. cd
  2. sudo rm -rf ~/my-simple-bash-ca
  3. git clone https://github.com/arlotito/my-simple-bash-ca
  4. cd ~/my-simple-bash-ca/scripts
  5. chmod +x *.sh

Customize ./scripts/*.openssl.cnf files as needed or keep default values.

You can now create your certs. As an example, to create certs as per the diagram above:

  1. cd ~/my-simple-bash-ca/scripts
  2. sudo ./create_root.sh
  4. sudo ./create_int.sh int1
  5. sudo ./create_server.sh int1 server.contoso.com
  7. sudo ./create_int.sh int2
  8. sudo ./create_client.sh int2 clientA
  10. sudo ./create_int.sh int3  
  11. sudo ./create_client.sh int3 deviceA

export certs

All the certificates are stored in /root/ca.
To export them into a given folder:

  1. Usage: ./export.sh -i <intermediate-name> -c <certificate-name> -d <dest-folder> [-k] [-h]
  2.   -h  Display help
  3.   -i  name of the intermediate  
  4.       (it's the /root/ca/<intermediate-name>)
  5.   -c  name of the certificate ("intermediate" or client/server name) 
  6.       (it's /root/ca/<intermediate-name>/certs/<CERT_NAME>.cert.pem and /root/ca/<intermediate-name>/private/<CERT_NAME>.cert.pem)
  7.   -d  destination folder
  8.   -k  exports the private key
  10. Examples:
  12.   to extract the intermediate "int1" (including private key) into ~/exported:
  13.     ./export.sh -i int1 -c intermediate -d ~/exported -k
  15.   to extract the server "est.contoso.com" (including private key) into ~/exported:
  16.     ./export.sh -i int1 -c est.contoso.com -d ~/exported -k
  18.   to extract the client "device3" (including private key) into ~/exported:
  19.     ./export.sh -i int1 -c device3 -d ~/exported -k

view and verify certs

To optionally view the ROOT certificate:

  1. sudo openssl x509 -noout -in /root/ca/certs/ca.cert.pem -noout -subject -issuer

To view the INTERMEDIATE certificates:

  1. # NOTE: replace `<INTERMEDIATE>` with the intermediate name
  2. sudo openssl x509 -noout -in <INTERMEDIATE>/certs/intermediate.cert.pem -noout -subject -issuer

To verify INTERMEDIATE against ROOT:

  1. # NOTE: replace `<INTERMEDIATE>` with the intermediate name
  2. sudo openssl verify -CAfile /root/CA/certs/ca.cert.pem /root/CA/<INTERMEDIATE>/certs/intermediate.cert.pem