Skip to content

Instantly share code, notes, and snippets.

@dwallraff

dwallraff/quick_ca.md

Last active October 1, 2020 01:20
Show Gist options
  • Save dwallraff/3fcca3f06b8f0b9b1be530aa379e9153 to your computer and use it in GitHub Desktop.
Save dwallraff/3fcca3f06b8f0b9b1be530aa379e9153 to your computer and use it in GitHub Desktop.
Download ZIP
Quick and simple 'CA' signed cert
Raw
quick_ca.md

Quick and simple 'CA' signed cert (and learn some useful openssl commands)

This will NOT set up a 'proper' CA.
This will NOT be a trusted CA.
But it will give you a cert to use as your 'trusted CA' if needed.


Step 1

First, we need to create a new cert and key. This will be your new CA cert, so change the -subj values to something more appropriate.
The rsa:4096 can be rsa:2048 if you're low on processing power and this isn't a super critical thing.
-nodes means the key won't be encrypted. You can remove it and you'll need to supply a password to encrypt the private key.
If you plan on using this for more than testing, you should also change the number of -days the cert is valid for.

openssl req -x509 -new -nodes -newkey rsa:4096 -sha256 -days 30 -out rootCA.pem -subj "/C=CHANGEME/ST=CHANGEME/O=CHANGEME/CN=CHANGEME"

Step 2

When we create our device cert, we'll also generate a key for it, so let's change the name of the root CA key to be something more explicitly named.

mv privkey.pem rootCA.key

Step 3

It's always good to verify that our key is for our cert (no news in good news here).
This is also a useful command when you create other public/private key certs.

diff  <(openssl x509 -in rootCA.pem -pubkey -noout) <(openssl rsa -in rootCA.key -pubout 2>/dev/null | tail -n +1)

Step 4

Now we can generate our csr.
If you don't have any specific config (i.e. SANs), you can use this one-liner. Just make sure to modify the -subj section.

openssl req -new -newkey rsa:4096 -nodes -out cert.csr -subj "/C=CHANGEME/ST=CHANGEME/O=CHANGEME/CN=CHANGEME"

*Alternate Step 4

If you have a more in-depth config (i.e. SANs)... Download this temp config file and add your values and SAN names. Then create a new csr and key with that config file. Again, The rsa:4096 can be rsa:2048 if you're low on processing power and this isn't a super critical thing.
And, -nodes still means the key won't be encrypted. You can remove it and you'll need to supply a password to encrypt the private key.

wget https://gist.githubusercontent.com/dwallraff/c1ed31291ac7cf19304b/raw/e06feacbb85ac63659e6c1c40c70d5481522b390/temp.cnf
openssl req -new -newkey rsa:4096 -nodes -out cert.csr -extensions server_req_extensions -config temp.cnf

Step 5

Always a good idea to rename your privte key to something a little more useful.

mv privkey.pem cert.key

Step 6

Verify the csr's info (can't be too careful).

openssl req -text -noout -verify -in cert.csr | grep 'Subject:'

Step 7

Use your CA cert and key to create and sign the device cert.
Change the number of -days you want the cert to be valid for if you want.

openssl x509 -req -in cert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out cert.pem -days 356 -sha256

Step 8

Verify that your standard cert is signed by your CA cert.

openssl verify -CAfile rootCA.pem cert.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment