diff options
| author | Yuuta Liang <yuuta@yuuta.moe> | 2023-06-22 14:06:13 -0700 |
|---|---|---|
| committer | Yuuta Liang <yuuta@yuuta.moe> | 2023-06-22 14:06:13 -0700 |
| commit | 23155a3726a0bd4224fa9881bf0ae5cb6a936d19 (patch) | |
| tree | 36bdeb4f05f9bb69fb37c85a88494c4494573762 | |
| download | ca-23155a3726a0bd4224fa9881bf0ae5cb6a936d19.tar ca-23155a3726a0bd4224fa9881bf0ae5cb6a936d19.tar.gz ca-23155a3726a0bd4224fa9881bf0ae5cb6a936d19.tar.bz2 ca-23155a3726a0bd4224fa9881bf0ae5cb6a936d19.zip | |
First commit
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | Makefile | 47 | ||||
| -rw-r--r-- | README.md | 5 | ||||
| -rw-r--r-- | ca.cnf | 108 |
4 files changed, 161 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..237b712 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +ca.key diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..f4170ba --- /dev/null +++ b/Makefile @@ -0,0 +1,47 @@ +.POSIX: + +ca.crl: crlnumber index.txt + openssl ca \ + -verbose \ + -config ca.cnf \ + -gencrl \ + -out ca.crl + +revoke: + openssl ca \ + -verbose \ + -config ca.cnf \ + -revoke sub.crt + +sub.crt: sub.csr + mkdir -p newcerts + touch index.txt + openssl ca \ + -verbose \ + -config ca.cnf \ + -extensions extensions_sub \ + -notext \ + -rand_serial \ + -in sub.csr \ + -out sub.crt + +ca.crt: + openssl req \ + -verbose \ + -config ca.cnf \ + -new \ + -x509 \ + -key ca.key \ + -days 9132 \ + -out ca.crt + +ca.key: + openssl genrsa -aes256 -out ca.key 4096 + +crlnumber: + echo 0000 > crlnumber + +reset: + echo "!!! THIS WILL RESET EVERYTHING, INCLUDING PRIVATE KEYS !!!" + # sleep 5 + rm -rf newcerts serial index.txt* private certs sub.csr crlnumber* ca.crl ca.crt sub.crt diff --git a/README.md b/README.md new file mode 100644 index 0000000..9f6aa06 --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +# CA + +Yet-another OpenSSL-based internal root CA + +`Makefile` is provided for referencing purposes only. @@ -0,0 +1,108 @@ +[ ca ] +default_ca = CA + +[ CA ] +# Database +dir = . +certs = $dir/certs/ +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +# Although we use $ openssl ca -rand_serial, this seems necessary. +serial = $dir/serial +RANDFILE = $dir/.rand + +private_key = $dir/ca.key +certificate = $dir/ca.crt + +# CRL +crlnumber = $dir/crlnumber +crl = $dir/ca.crl +crl_extensions = crl_ext +# Root CA CRL: 1 year +default_crl_days = 365 + +# Cryptography +default_md = sha512 + +# Policy +name_opt = ca_default +cert_opt = ca_default +# Intermediate CA: 5 years +default_days = 1826 +preserve = no +policy = policy_ca + +[ policy_ca ] +countryName = optional +stateOrProvinceName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +default_bits = 4096 +distinguished_name = req_dn +string_mask = utf8only + +# s/sha512/sha256/, according to Jimmy (isrg uses sha256) +default_md = sha256 + +x509_extensions = extensions + +[ req_dn ] +commonName = Common Name +countryName = Country Name (2 letter code) +# For simplicity +#stateOrProvinceName = State or Province Name +#localityName = Locality Name +#0.organizationName = Organization Name +# CAB Baseline (BR) v2.0.0 +# OU name must not present +# Email address is not recommended (as per Jimmy) +#organizationalUnitName = Organizational Unit Name +#emailAddress = Email Address + +commonName_default = Yuuta Root CA +countryName_default = CA +#stateOrProvinceName_default = British Columbia +#localityName_default = Vancouver +#0.organizationName_default = Yuuta Home +#organizationalUnitName_default = IT +#emailAddress_default = yuuta@yuuta.moe + +[ extensions ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign +# Seems like it is completely unnecessary to put CRL and AIA in RootCA +# because they point to the issuer's info. +# crlDistributionPoints = crldp +# Because I don't have a real OID +#certificatePolicies = @polset +# Seems like it is unnecessary. +#authorityInfoAccess = caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt + +[ extensions_sub ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen: 0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign +crlDistributionPoints = crldp +authorityInfoAccess = caIssuers;URI:http://home.yuuta.moe/pki/rootca.crt + +#[ polset ] +#policyIdentifier = 1.3.6.1.4.1.191981.5.1.1 +#CPS.1 = "http://home.yuuta.moe/pki/policy" +#userNotice.1 = @polset_notice +# +#[ polset_notice ] +#explicitText = "This certificate authority is for internal use only." + +[ crldp ] +fullname = URI:http://home.yuuta.moe/pki/rootca.crl + +[ crl_ext ] +authorityKeyIdentifier = keyid:always |