-
-
Save pnck/305968f3c9f719fb479bd6ac3986c52a to your computer and use it in GitHub Desktop.
Revisions
-
pnck revised this gist
Mar 25, 2025 . 1 changed file with 3 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,7 +5,7 @@ DIR="$(pwd)" # Create the openssl configuration file. This is used for both generating # the certificate as well as for specifying the extensions. It aims in favor # of automation, so the DN is encoding and not prompted. if [ ! -f "${DIR}/openssl.cnf" ]; then cat > "${DIR}/openssl.cnf" << EOF [req] default_bits = 2048 encrypt_key = no # Change to encrypt the private key using des3 or similar @@ -43,8 +43,9 @@ IP.1 = 192.168.1.1 IP.2 = 10.0.0.1 DNS.1 = hostname EOF fi read -p "${DIR}/openssl.cnf released, break to modify it" answer echo -e "\n\n-----------------------------------\nCreate CA\n-----------------------------------\n" # Create the certificate authority (CA). This will be a self-signed CA, and this -
pnck revised this gist
Nov 1, 2019 . 1 changed file with 10 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -45,7 +45,8 @@ DNS.1 = hostname EOF echo -e "\n\n-----------------------------------\nCreate CA\n-----------------------------------\n" # Create the certificate authority (CA). This will be a self-signed CA, and this # command generates both the private key and the certificate. You may want to # adjust the number of bits (4096 is a bit more secure, but not supported in all @@ -63,7 +64,10 @@ openssl req \ -keyout "${DIR}/ca.key" \ -out "${DIR}/ca.crt" echo -e "\n\n-----------------------------------\nCreate Sub Service\n-----------------------------------\n" # Generate the private key for the service. Again, you may want to increase # the bits to 4096. # openssl genrsa -out "${DIR}/private.key" 2048 @@ -72,22 +76,22 @@ openssl req \ # give this CSR to our CA to sign. openssl req \ -new -newkey rsa:2048 \ -keyout "${DIR}/sub_service.key" \ -out "${DIR}/sub_service.csr" \ -config "${DIR}/openssl.cnf" # Sign the CSR with our CA. This will generate a new certificate that is signed # by our CA. openssl x509 \ -req \ -days 1825 \ -in "${DIR}/sub_service.csr" \ -extensions v3_req \ -extfile "${DIR}/openssl.cnf" \ -CA "${DIR}/ca.crt" \ -CAkey "${DIR}/ca.key" \ -CAcreateserial \ -out "${DIR}/sub_service.pem" # (Optional) Verify the certificate. openssl x509 -in "${DIR}/sub_service.pem" -noout -text -
Nov 1, 2019 . 1 changed file with 24 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -45,15 +45,34 @@ DNS.1 = hostname EOF echo -e "\n\n-------------------\nCreate CA\n-------------------\n" # Create the certificate authority (CA). This will be a self-signed CA, and this # command generates both the private key and the certificate. You may want to # adjust the number of bits (4096 is a bit more secure, but not supported in all # places at the time of this publication). # # To put a password on the key, remove the -nodes option. # # Be sure to update the subject to match your organization. openssl req \ -new \ -newkey rsa:2048 \ -days 1825 \ -nodes \ -x509 \ -keyout "${DIR}/ca.key" \ -out "${DIR}/ca.crt" # Generate the private key for the service. Again, you may want to increase # the bits to 4096. # openssl genrsa -out "${DIR}/private.key" 2048 # Generate a CSR using the configuration and the key just generated. We will # give this CSR to our CA to sign. openssl req \ -new -newkey rsa:2048 \ -keyout "${DIR}/private.key" \ -out "${DIR}/my-service.csr" \ -config "${DIR}/openssl.cnf" @@ -65,7 +84,9 @@ openssl x509 \ -in "${DIR}/my-service.csr" \ -extensions v3_req \ -extfile "${DIR}/openssl.cnf" \ -CA "${DIR}/ca.crt" \ -CAkey "${DIR}/ca.key" \ -CAcreateserial \ -out "${DIR}/my-service.crt" # (Optional) Verify the certificate. -
Nov 1, 2019 . 1 changed file with 1 addition and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,9 +1,6 @@ # Define where to store the generated certs and metadata. DIR="$(pwd)" # Create the openssl configuration file. This is used for both generating # the certificate as well as for specifying the extensions. It aims in favor -
Nov 1, 2019 . 1 changed file with 14 additions and 55 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -13,7 +13,7 @@ cat > "${DIR}/openssl.cnf" << EOF default_bits = 2048 encrypt_key = no # Change to encrypt the private key using des3 or similar default_md = sha256 prompt = yes utf8 = yes # Speify the DN here so we aren't prompted (along with prompt = no above). @@ -24,11 +24,11 @@ req_extensions = v3_req # Be sure to update the subject to match your organization. [req_distinguished_name] C = Country Name (2 letter code) ST = State or Province Name (full name) L = Locality Name (eg, city) O = Organization Name (eg, company) CN = Common Name (e.g. server FQDN or YOUR name) # Allow client and server auth. You may want to only allow server auth. # Link to SAN names. @@ -42,75 +42,34 @@ subjectAltName = @alt_names # Alternative names are specified as IP.# and DNS.# for IP addresses and # DNS accordingly. [alt_names] IP.1 = 192.168.1.1 IP.2 = 10.0.0.1 DNS.1 = hostname EOF # Generate the private key for the service. Again, you may want to increase # the bits to 4096. openssl genrsa -out "${DIR}/private.key" 2048 # Generate a CSR using the configuration and the key just generated. We will # give this CSR to our CA to sign. openssl req \ -new -key "${DIR}/private.key" \ -out "${DIR}/my-service.csr" \ -config "${DIR}/openssl.cnf" # Sign the CSR with our CA. This will generate a new certificate that is signed # by our CA. openssl x509 \ -req \ -days 1825 \ -in "${DIR}/my-service.csr" \ -extensions v3_req \ -extfile "${DIR}/openssl.cnf" \ -signkey "${DIR}/private.key" \ -out "${DIR}/my-service.crt" # (Optional) Verify the certificate. openssl x509 -in "${DIR}/my-service.crt" -noout -text -
sethvargo created this gist
Jun 6, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,116 @@ # Define where to store the generated certs and metadata. DIR="$(pwd)/tls" # Optional: Ensure the target directory exists and is empty. rm -rf "${DIR}" mkdir -p "${DIR}" # Create the openssl configuration file. This is used for both generating # the certificate as well as for specifying the extensions. It aims in favor # of automation, so the DN is encoding and not prompted. cat > "${DIR}/openssl.cnf" << EOF [req] default_bits = 2048 encrypt_key = no # Change to encrypt the private key using des3 or similar default_md = sha256 prompt = no utf8 = yes # Speify the DN here so we aren't prompted (along with prompt = no above). distinguished_name = req_distinguished_name # Extensions for SAN IP and SAN DNS req_extensions = v3_req # Be sure to update the subject to match your organization. [req_distinguished_name] C = US ST = California L = The Cloud O = Demo CN = My Certificate # Allow client and server auth. You may want to only allow server auth. # Link to SAN names. [v3_req] basicConstraints = CA:FALSE subjectKeyIdentifier = hash keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names # Alternative names are specified as IP.# and DNS.# for IP addresses and # DNS accordingly. [alt_names] IP.1 = 1.2.3.4 DNS.1 = my.dns.name EOF # Create the certificate authority (CA). This will be a self-signed CA, and this # command generates both the private key and the certificate. You may want to # adjust the number of bits (4096 is a bit more secure, but not supported in all # places at the time of this publication). # # To put a password on the key, remove the -nodes option. # # Be sure to update the subject to match your organization. openssl req \ -new \ -newkey rsa:2048 \ -days 120 \ -nodes \ -x509 \ -subj "/C=US/ST=California/L=The Cloud/O=My Company CA" \ -keyout "${DIR}/ca.key" \ -out "${DIR}/ca.crt" # # For each server/service you want to secure with your CA, repeat the # following steps: # # Generate the private key for the service. Again, you may want to increase # the bits to 4096. openssl genrsa -out "${DIR}/my-service.key" 2048 # Generate a CSR using the configuration and the key just generated. We will # give this CSR to our CA to sign. openssl req \ -new -key "${DIR}/my-service.key" \ -out "${DIR}/my-service.csr" \ -config "${DIR}/openssl.cnf" # Sign the CSR with our CA. This will generate a new certificate that is signed # by our CA. openssl x509 \ -req \ -days 120 \ -in "${DIR}/my-service.csr" \ -CA "${DIR}/ca.crt" \ -CAkey "${DIR}/ca.key" \ -CAcreateserial \ -extensions v3_req \ -extfile "${DIR}/openssl.cnf" \ -out "${DIR}/my-service.crt" # (Optional) Verify the certificate. openssl x509 -in "${DIR}/my-service.crt" -noout -text # Here is a sample response (truncate): # # Certificate: # Signature Algorithm: sha256WithRSAEncryption # Issuer: C = US, ST = California, L = The Cloud, O = My Organization CA # Subject: C = US, ST = California, L = The Cloud, O = Demo, CN = My Certificate # # ... # X509v3 extensions: # X509v3 Basic Constraints: # CA:FALSE # X509v3 Subject Key Identifier: # 36:7E:F0:3D:93:C6:ED:02:22:A9:3D:FF:18:B6:63:5F:20:52:6E:2E # X509v3 Key Usage: # Digital Signature, Key Encipherment # X509v3 Extended Key Usage: # TLS Web Client Authentication, TLS Web Server Authentication # X509v3 Subject Alternative Name: # IP Address:1.2.3.4, DNS:my.dns.name #
pnck
revised
this gist