Last modification

• Rev 0 ?date?
• Author: ?author?

• Log message:

  ?log?

 Scripts to Manipulate openssl

This is a set of scripts that manipulate openssl, allowing you to more easily generate local Certificates of Authority, create Server Certificates based signed by that CA, and deploy them.

 Set up System (config files)

First, create an openssl configuration file and a makeCert.conf file. Simplest solution is

cp openssl.cnf.sample openssl.cnf

cp makeCert.conf.sample makeCert.conf

Edit openssl.cnf. Be sure to set up the section [req_distinguished_name]. The section [alt_names] is a placeholder and will be ignored.

Edit makeCert.conf, making sure you change the values of \$caCRT and \$caKey to match your preferences (hint, use your company or network name). The 10 years for a CA (\$caDays) and the one year for a Server Certificate (\$certDays) are reasonable. Do not make them much longer than that; some applications will refuse to use them.

Some people will prefer to place their CA files into a subdirectory (or even someplace else on the file system), so caCRT and caKey take fully qualified path names. Keep the .crt and .key suffixes as that is pretty standardized.

If you want to place your Server Certificates in their own directory, change \$serverCertDir (just a directory name)

All paths must exist prior to running any scripts.

 Create a Certificate of Authority

./makeCA

This will create a Certificate of Authority (private .key and certificate .crt file)  wherever defined in the config file. It will ask for a passphrased twice, when creating the key file, and then again when creating the crt. The passphrases must match, and must be more than 8 characters long.

This crt file should be deployed to all workstations which will access services using certificates created in the next section.

 Create Server Certificates

./makeCert DNS_Name [alias ...]

This will create a server certificate signed by the CA above, valid the first parameter (DNS_Name) and all subsequent parameters (alias). The files will be named based on the first parameter, and stored in the \$serverCertDir directory. The following four files will be created. Below, name is the first parameter to the command

• name.key - the private key for the Cert

• name.ext - A configuration file (extension) based on openssl.cnf and modified for this certificate. Only created if it does not exist.

• name.csr - A signing request (Certificate Signing Request) based on the extension file

• name.crt - The signed certificate

 Deploy Server Certificates

./deployCert hostname [certname]

This is a very simple script with limited abilities. It is designed to copy the two necessary files (.crt and .key) for a particular cert to hostname, using scp. It will then restart Apache on that hostname (via service apache2 reload)