Skip to content
/ free-ca Public

Simple OpenSSL wrappers to make managing a self-signed CA practical

License

MIT license
2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jaysh/free-ca

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.gitignore
.gitignore
 
 
.vars.sh
.vars.sh
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
generate_ca
generate_ca
 
 
generate_certificate
generate_certificate
 
 
openssl.cnf
openssl.cnf
 
 

Repository files navigation

FreeCA

FreeCA is a simple wrapper around OpenSSL to make generating signed certificates, with a self-signed CA, less of a headache.

OpenSSL in incredibly time-consuming to use effectively for what I felt was a reasonably simply use case. All I was trying to do is create a CA that I could use to sign SAN/UCC/Wildcard certificates. This turned out not to be an easy task - I found that very few online tutorials make it absolutely clear how to sign such certificate without having to modify your global openssl.cnf.

How to use it FreeCA

  1. Clone this repository via whichever method you prefer.

  2. Modify the req_distinguished_name of openssl.cnf to your liking.

  3. Create your own CA:

     $ ./generate_ca 
 Generating RSA private key, 4096 bit long modulus
 ...................................................++
 ......................................++
 e is 65537 (0x10001)

 Your CA is now ready to use (certificate: keypairs/ca/ca.crt, private key: keypairs/ca/ca.key)

    You should now proceed to install this certificate wherever you like (e.g. Firefox, Google Chrome). When prompted, trust it to identify websites.

  4. Issue certificates that support SAN/UCC/Wildcard names:

     $ ./generate_certificate web-server "*.example.com" "*.example.net"
 Generating RSA private key, 4096 bit long modulus
 ...............................++
 ................++
 e is 65537 (0x10001)
 Signature ok
 subject=/C=US/ST=CA/L=Example/O=Example/OU=Example/CN=example.com
 Getting CA Private Key

 Your certificate is now ready to use (certificate: keypairs/web-server.crt, private key: keypairs/web-server.key)

    This will leave you with a directory called keypairs, which contain all of your certificates.

     keypairs/
 ├── ca
 │   ├── ca.crt
 │   ├── ca.key
 │   └── ca.srl
 ├── web-server.crt
 └── web-server.key

    Which contains both your CA certificate, and web server certificates.

  5. (Optional) Verify that the SAN names are indeed in the certificate (output is snipped for brevity):

     $ openssl x509 -in keypairs/web-server.crt -noout -text
 ...
 X509v3 extensions:
     X509v3 Key Usage: 
         Key Encipherment, Data Encipherment
     X509v3 Extended Key Usage: 
         TLS Web Server Authentication
     X509v3 Subject Alternative Name: 
         DNS:*.example.com, DNS:*.example.net
 ...

  6. Install the certificate into your web server. In Nginx, you should append the ca.crt to web-server.crt before using it.

About

Simple OpenSSL wrappers to make managing a self-signed CA practical

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages