Skip to content

Latest commit

 

History

History
86 lines (55 loc) · 3.18 KB

README.md

File metadata and controls

86 lines (55 loc) · 3.18 KB
Raw

openssl.csr.bash

bash script to use openssl req utility to make a certificate signing request with subject fields

install openssl

ubuntu

sudo apt-get install openssl

red hat

sudo yum install openssl

usage

change the variables at the top of openssl.csr.bash to match your needs: site_name, email_address, organization, etc.

execute the script

./openssl.csr.bash

inspect certificate signing request

openssl req -noout -text -in example.com.csr

inspect signed certificate

openssl x509 -noout -text -in example.com.crt

inspect complete certificate chain

openssl crl2pkcs7 -nocrl -certfile example.com.pem | openssl pkcs7 -print_certs -text -noout

credit

This starts with the client certificate and links back through intermediate certificates until a trusted certificate authority is identified.

per IETF's RFC 5246 Section 7.4.2:

The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it.

It's unnecessary to end with the root certificate because it's already trusted.

converting formats (.crt/.pem/.cer & .key) to .pfx

Microsoft's IIS uses the pfx format, so you will need to convert it

openssl pkcs12 -export -out example.com.pfx -inkey example.com.key -in example.com.crt

verify server installation

openssl s_client -showcerts -servername example.com -connect example.com:443

DIY

here is an end-to-end guide for creating a root certificate authority, intermediate CA, certificate signing requests, and certs

SAN (subject alternative names) certificates

  • sometimes you want one certificate to use with multiple sub-domain names, such as www.example.com, test.example.com, and another.example.com, but you don't want to be so permissive as to issue a wildcard certificate *.example.com
  • sometimes your alias domains are not sub-domains, such as example.com and example.org

this script is written to properly generate SAN certificates, but if you're interested, then here is a guide for creating the configuration file used to generate the CSR.

as an addendum to the end-to-end guide, you will need to modify your intermediate CA configuration by adding copy_extensions = copy to the [CA_default] section

caution: this will allow a vulnerability for other people to sneak in unauthorized domains in their certificate signing request. if you are signing requests for other people, then make sure that you review the request before signing it

openssl req -text -noout -verify -in example.com.csr

credits

Thanks to Jeff Walton for helping me figure out which default configuration file to use.