Including certificate revocation and intermediate certificate authorities.
You should run these on a linux system. In my configuration, I store these under /CAs/scripts and if you want few errors, you might want to do the same. You do obviously need openssl (sudo apt install openssl on Debian/Ubuntu/etc)
- Remember this generates private keys so you might want to not have the CAs directory available on a public password-less FTP server.
- You probably should keep a backup of at least your root key and certificate on offline media (dedicated microsd hidden somewhere in your house / safe is a good option)
- You need to install the root certificate on any computers (both servers and clients) which will see your CA.
- Run this on a dedicated machine / VM in a preferably air-gapped environment. It’s probably difficult but at least run this on a virtualbox VM or something and disable the machine’s network access and things like forwarded USB devices.
- You can use the examples at the top of most of these shell files but you probably should change some of these values to your own:
- change Celati Root CA 1 to something more appropriate for you.
- change the distinguished name details from CH, Fribourg, Attalens, Celati, Celati Security, firstname.lastname@example.org to something good for you.
- my CRLs distribution point is crl.celati.com. I think it should be pretty obvious you should use your own. If you want to store your CRLs on my server, just contact me but that should really be case-by-case. Change at:
- line 150 in gen_ca.sh
- lines 163+174+186 in gen_intermediate_ca.sh
- lines 116+129 in gen_client_cert.sh
- lines 141+153 in gen_server_cert.sh
- line 10 in check_end_cert_valid.sh
- line 9 in check_intca_valid.sh
- I do have an OCSP responder path in the certificates despite not yet having time to set one up (it’s surprisingly annoying) but again, change it to something good for you:
- line 147 in gen_ca.sh
- lines 175+187 in gen_intermediate_ca.sh
- lines 117+130 in gen_client_cert.sh
- lines 142+154 in gen_server_cert.sh
The point of making most of these scripts is automation and to not have to manage a bunch of commands. The scripts also conveniently spit out pfx files for RDP (instructions included when generating server certs) and full chains in both orders because I’ve found some software needs it in reversed order.
If you need any other things added, I’d be happy to edit these scripts because I’m currently using these in production (mostly made this stuff for running TLS interception on a PFsense box). I know OpenSSL can be pretty daunting so that’s also part of why I made this stuff.
Also, if you want a good guide to OpenSSL if you feel like oing manual, this is a very good one: Jamie Linux Openssl