Running your own CA

Wanna see a real web page on this topic? Check out the OpenSSL Certificate Cookbook instead.

I make a few assumptions here--- that you're running in /usr/local/ptudorCA and that at least these lines your openssl.conf are setup similar to this:

[ CA_default ]
dir             = /usr/local/CertificateAuthority
certificate     = $dir/ptudorrootcert.pem 
commonName                      = Common Name (eg, server name)
commonName_default              = %%servername
emailAddress                    = Email Address
emailAddress_default            = cert@%%servername

And that you've already setup your root CA. If you haven't gotten that far, check out Being your own CA. Or just

openssl req -new -x509 -keyout 

/usr/local/CertificateAuthority/private/RootKey.orgname.pem -out /usr/local/CertificateAuthority/RootCert.orgname.pem 
 -days 1826




newcert.sh
This script takes as an argument the name of the server the cert is for 
and puts everything in a directory named after that server. It generates
the key request and then signs it.
dir=/usr/local/ptudorCA
tmp=/tmp
umask 077

if [ "$1" = "" ]
  then
  echo "  This script requires an argument of the name of the server"
  echo "  this certificate is for. Try again."
  exit 99
fi

mkdir $1
perl -pi -e "s/%%servername/$1/g" $dir/openssl.cnf
echo -e "\nIf you screwed up the hostname, DO NOT press ^c. Finish then revoke it."         
echo -e "\n\nFirst we generate the certificate request and private key:\n\n"
openssl req -nodes -new -x509 -keyout $dir/$1/$1-key.pem -out $dir/$1/$1-key.pem \
  -days 1461 -config $dir/openssl.cnf
echo -e "\n\nNow we sign it with our root CA\n\n"
openssl x509 -x509toreq -in $dir/$1/$1-key.pem -signkey $dir/$1/$1-key.pem \ 
  -out $tmp/tmp.pem
openssl ca -config $dir/openssl.cnf -policy policy_anything -out \ 
  $dir/$1/$1-cert.pem -infiles $tmp/tmp.pem
rm -f $tmp/tmp.pem
perl -pi -e "s/$1/%%servername/g" $dir/openssl.cnf


ca-pem-net.sh
If you have any Microsoft IIS4/NT4 clients you need to change the 
format of the key from pem to a net key pair for
KeyManager to be able to import the certificate and key.
Again, it takes the hostname as an arg. It uses the hostname
as the default password.

umask 077

if [ "$1" = "" ]
  then
  echo "  This script requires an argument of the name of the server"
  echo "  this certificate is for. Try again."
  exit 99
fi

echo -en "\nConverting..."
openssl rsa -inform PEM -in $1/$1-key.pem -out $1/$1-key.net -outform NET   
echo -en "done\n\n"


ca-pem-pks.sh
For IIS5/win2k it's slightly different. The default password is again set to the 
name of the host.

umask 077

if [ "$1" = "" ]
  then
  echo "  This script requires an argument of the name of the server"
  echo "  this certificate is for. Try again."
  exit 99
fi

echo -en "\nConverting..."
openssl pkcs12 -export -inkey $1/$1-key.pem -in $1/$1-cert.pem \
  -out $1/$1-key.pks -password pass:$1 -name "$1 PKS Certificate"
echo -en "done\n\n"


see also:
OpenSSL

OpenCA

Being
your own CA




ptudor@ptudor.net