Featured image of post OpenSSL Snippet

OpenSSL Snippet

Generate CA, and sign TLS ECDSA key using OpenSSL

Here is the translated text:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/usr/bin/env sh
set -e

# path to private part of CA (PEM encoded)
CA_KEY='ca.key'
# path to public part of CA (PEM encoded)
CA_CRT='ca.crt'
# password to use CA
CA_PASSWORD='longalphanum'

# Country
C='UA'
# State
ST='Kiev'
# Location
L='Kiev'
# Organization
O='No organization'
# Organization unit
OU='No unit'
# Domain to issue final cert for
DOMAIN='vlasov.pro'
# Days while the certificate will be valid
DAYS='365'

subj() {
  echo "/C=${C}/ST=${ST}/L=${L}/O=${O}/OU=${OU}/CN=$1"
}

if [ ! -f "$CA_KEY" ] || [ "$1" = '-ca' ]; then
  echo 'basicConstraints=CA:true' > extfile.txt
  # CA - used for signing of both server and client certs
  # generate private key
  openssl ecparam -genkey -name prime256v1 | openssl ec -out "$CA_KEY"
  # generate signing request
  openssl req -new -key "$CA_KEY" -out ca.csr -subj "$(subj "$O CA")"
  # csr + key = crt
  openssl x509 -req -days 3650 -in ca.csr -signkey "$CA_KEY" -extfile extfile.txt -out "$CA_CRT"
  rm -f ca.csr
  # convert crt to DER format
  openssl x509 -inform PEM -outform DER -in "$CA_CRT" -out "$CA_CRT.der"
  echo 'Generated CA'
fi

# generate and sign certificate
cat <<EOF >extfile.txt
[ req ]
req_extensions     = req_ext
distinguished_name = req_distinguished_name

[req_distinguished_name]

[ req_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1   = $DOMAIN
DNS.2   = *.$DOMAIN
EOF
# issue
openssl ecparam -genkey -name prime256v1 | openssl ec -out "${DOMAIN}.key"  # key
openssl req -new -key "${DOMAIN}.key" -out "${DOMAIN}.csr" -config extfile.txt -subj "$(subj $DOMAIN)" # csr
openssl x509 -req \
  -days "$DAYS" \
  -in "${DOMAIN}.csr" \
  -CA "$CA_CRT" \
  -out "${DOMAIN}.crt" \
  -CAkey "$CA_KEY" \
  -CAcreateserial \
  -passin "pass:$CA_PASSWORD" \
  -extensions req_ext -extfile extfile.txt  # csr + rootCA.crt = crt 
rm -f "${DOMAIN}.csr"
# convert DER -> PEM
openssl x509 -inform PEM -outform DER -in "${DOMAIN}.crt" -out "${DOMAIN}.der.crt"  # convert
# convert PEM -> pkcs12
openssl pkcs12 -export \
  -inkey "${DOMAIN}.key" \
  -in "${DOMAIN}.crt" \
  -out "${DOMAIN}.pfx" \
  -password "pass:$JKS_PASSWORD" \
  -name "$DOMAIN"
# create fullchain
cat "${DOMAIN}.crt" "$CA_CRT" > "${DOMAIN}.full"
# verify
openssl verify -CAfile "$CA_CRT" "${DOMAIN}.crt"
# info
log_info "Generated $DOMAIN"
done
rm -f extfile.txt
Licensed under Apache License, Version 2.0
Last updated on Dec 10, 2024 14:01 +0200
All rights reserved
Built with Hugo
Theme Stack designed by Jimmy