This guide explains how to generate a Certificate Authority (CA), server certificates, and sign them using OpenSSL. The process is automated with a bash script.
The script performs the following tasks:
- Removes any existing
.pem,.csr, and.srlfiles. - Generates a private key and self-signed certificate for the Certificate Authority (CA).
- Creates a private key and Certificate Signing Request (CSR) for the server.
- Defines a configuration file for server certificate extensions.
- Signs the server's CSR with the CA's private key and certificate.
- Verifies the generated server certificate.
Save the above script as gen.sh or download the pre-created script:
Download gen.sh
Run the following command to give the script execute permissions:
chmod +x gen.shRun the script to generate the certificates:
./gen.shThe following files will be created:
ca-key.pem: The CA's private key.ca-cert.pem: The CA's self-signed certificate.server-key.pem: The server's private key.server-cert.csr: The server's Certificate Signing Request (CSR).server-cert.pem: The server's signed certificate.
You can inspect the generated certificates and CSR using these commands:
-
Inspect the CA certificate:
openssl x509 -in ca-cert.pem -noout -text
-
Inspect the server certificate:
openssl x509 -in server-cert.pem -noout -text
-
Inspect the CSR:
openssl req -in server-cert.csr -noout -text
- The script uses a 4096-bit RSA key for enhanced security.
- Ensure the
openssltool is installed and available in yourPATHbefore running the script. - Update the
CASUBJandSERVERSUBJvariables to match your organization's details.
If you encounter errors, ensure:
- You have write permissions in the directory.
- The
opensslcommand is properly installed and configured.
Feel free to modify the script to fit your specific needs.