ca

ca.git
git clone git://git.lenczewski.org/ca.git
Log | Files | Refs | README

README (2044B)

      1 ca
      2 ==============================================================================
      3 A set of shell scripts for generating a small self-signed certificate authority,
      4 and generating signed certificates for use with email and other services.
      5 
      6 Taken from the excellent website:
      7  https://jamielinux.com/docs/openssl-certificate-authority/index.html
      8 
      9 ca: Usage
     10 ------------------------------------------------------------------------------
     11 First, fill out the relevant `*.txt` configuration files. Note the that CRL and
     12 OCSP URIs are expected to be sans `http://` prefix.
     13 
     14 Then, initialise the root CA:
     15 
     16 ```
     17 $ ./init-ca.sh
     18 ```
     19 
     20 Then, create one or more intermediate CAs:
     21 
     22 ```
     23 $ ./make-intermediate-ca.sh
     24 ```
     25 
     26 If desired, the individual certificates (rsa, ecc, or both) for any given
     27 intermediate CA can be revoked:
     28 
     29 ```
     30 $ ./revoke-intermediate-ca.sh ca/intermediate/current/cert/intermediate.ecc.crt.pem
     31 ```
     32 
     33 To create a client or server certificate, use the `make-cert.sh` script:
     34 
     35 ```
     36 $ ./make-cert.sh server www.example.com
     37 ```
     38 
     39 To add additional x509 fields, simply append `key=val` pairs to the arguments:
     40 
     41 ```
     42 $ ./make-cert.sh client Alice 'emailAddress=alice@example.com' x500UniqueIdentifier=alice
     43 ```
     44 
     45 To change the default PCKS#12 password (from 'password'), set the following
     46 environment variable:
     47 
     48 ```
     49 $ PCKSPASS="mypass" ./make-cert.sh ...
     50 ```
     51 
     52 To create an RSA key and certificate, as opposed to an ECC one, set the following
     53 environment variable:
     54 
     55 ```
     56 $ ECC=0 ./make-cert.sh ...
     57 ```
     58 
     59 To change the number of days the certificate is valid for, set the following
     60 environment variable:
     61 
     62 ```
     63 $ DAYS=365 ./make-cert.sh ...
     64 ```
     65 
     66 To revoke a previously generated client or server certificate, simply
     67 provide the type of certificate, and the FQDN (i.e. common name), to the
     68 `revoke-cert.sh` script:
     69 
     70 ```
     71 $ ./revoke-cert.sh client Alice
     72 ```
     73 
     74 To regenerate the entire CA chain, and all certificates, simply remove the
     75 `ca/` and `certs/` directories.
     76 
     77 By default, the intermediate CA is configured for OCSP, and the root CA is
     78 configured for CRLs.