Building a simple CA for testing purposes

I recently needed to create a Certificate Authority with an Intermediate Certificate to test some TLS inspection stuff at work. This script (based on a document I found at jamielinux.com) builds a Certificate Authority and creates an Intermediate Certificate Authority using the root.

#! /bin/bash # Heavily based on https://jamielinux.com/docs/openssl-certificate-authority/ # Start from # sudo -i mkdir /root/ca cd /root/ca mkdir certs crl newcerts private chmod 700 private touch index.txt echo 1000 > serial wget https://jamielinux.com/docs/openssl-certificate-authority/_downloads/root-config.txt -O openssl.cnf openssl genrsa -aes256 -out private/ca.key.pem 4096 chmod 400 private/ca.key.pem openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem chmod 444 certs/ca.cert.pem openssl x509 -noout -text -in certs/ca.cert.pem mkdir /root/ca/intermediate cd /root/ca/intermediate mkdir certs crl csr newcerts private chmod 700 private touch index.txt echo 1000 > serial echo 1000 > crlnumber wget https://jamielinux.com/docs/openssl-certificate-authority/_downloads/intermediate-config.txt -O openssl.cnf cd /root/ca openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096 chmod 400 intermediate/private/intermediate.key.pem openssl req -config intermediate/openssl.cnf -new -sha256 -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem chmod 444 intermediate/certs/intermediate.cert.pem openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem openssl verify -CAfile certs/ca.cert.pem intermediate/certs/intermediate.cert.pem cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem chmod 444 intermediate/certs/ca-chain.cert.pem # https://stackoverflow.com/a/39327439 openssl pkcs8 -topk8 -in intermediate/private/intermediate.key.pem -out intermediate/private/intermediate.key

I’ve also done something similar with Ansible before, but I’ve not got that to hand :)

Late edit, 2019-08-21: Found it! Needs some tweaks to add the sub-CA or child certs, but so-far it would work :)

--- - hosts: localhost vars: - dnsname: your.dns.name - tmppath: "./tmp/" - crtpath: "{{ tmppath }}{{ dnsname }}.crt" - pempath: "{{ tmppath }}{{ dnsname }}.pem" - csrpath: "{{ tmppath }}{{ dnsname }}.csr" - pfxpath: "{{ tmppath }}{{ dnsname }}.pfx" - private_key_password: "password" tasks: - file: path: "{{ tmppath }}" state: absent - file: path: "{{ tmppath }}" state: directory - name: "Generate the private key file to sign the CSR" openssl_privatekey: path: "{{ pempath }}" passphrase: "{{ private_key_password }}" cipher: aes256 - name: "Generate the CSR file signed with the private key" openssl_csr: path: "{{ csrpath }}" privatekey_path: "{{ pempath }}" privatekey_passphrase: "{{ private_key_password }}" common_name: "{{ dnsname }}" - name: "Sign the CSR file as a CA to turn it into a certificate" openssl_certificate: path: "{{ crtpath }}" privatekey_path: "{{ pempath }}" privatekey_passphrase: "{{ private_key_password }}" csr_path: "{{ csrpath }}" provider: selfsigned - name: "Convert the signed certificate into a PKCS12 file with the attached private key" openssl_pkcs12: action: export path: "{{ pfxpath }}" name: "{{ dnsname }}" privatekey_path: "{{ pempath }}" privatekey_passphrase: "{{ private_key_password }}" passphrase: password certificate_path: "{{ crtpath }}" state: present

Share this:

Leave a Reply Cancel reply