What is CApen-SSL?
CApen-SSL (for Certification Autority OpenSSL) is a wrapper to facilitate the creation of a certification autority and server certificates using only OpenSSL commands.
CApen-SSL works with a main script named build-certs. The build-certs script will wait for the input of values to build a certificate (examples below).
CApen-SSL works in a way that first builds one root certificate autority, then the intermediate autority and finally server certificates.
The CA scripts generated by build-certs will be named rootca.crt for the root autority and intca.crt for the intermediate autority. The server certificates will be named with the FQDN you give.
Create manually own certificate autority
Create the root certificate autority, example configuration
openssl req -x509 -nodes -newkey rsa:4096 -days 3650 -extensions v3_ca -subj "/C=FR/ST=Ile-de-France/O=FictOrg/OU=Engineers/L=Paris/CN=FictOrg ROOT CA" -keyout out/ca/keys/rootca.key -out out/ca/certs/rootca.crt -config confs/ca.cnf
Create the private key for the intermediate certificate
openssl genrsa -out out/ca/keys/intca.key 4096
Create the CSR to sign the intermediate CA with the root CA
openssl req -sha256 -new -subj "/C=FR/ST=Ile-de-France/O=FictOrg/OU=Engineers/L=Paris/CN=FictOrg INT CA" -key out/ca/keys/intca.key -out out/ca/csr/intca.csr
Sign the CSR with the root certificate
openssl ca -batch -config confs/ca.cnf -days 1825 -extensions v3_ca -subj "/C=FR/ST=Ile-de-France/O=FictOrg/OU=Engineers/L=Paris/CN=FictOrg INT CA" -notext -in out/ca/csr/intca.csr -out out/ca/certs/intca.crt
Create a private key for the server certificate
openssl genrsa -out out/server/keys/test.test.lan.key 4096
Create the CSR with the intermediate certificate
openssl req -new -key out/server/keys/test.test.lan.key -out out/server/csr/test.test.lan.csr -config confs/server.cnf
Sign the CSR with the intermediate certificate
openssl x509 -req -in out/server/csr/test.test.lan.csr -CA out/ca/certs/intca.crt -CAkey out/ca/keys/intca.key -CAcreateserial -out out/server/certs/test.test.lan.crt -days 365 -sha512 -extfile confs/server.cnf
Use the build-certs script (BASH wrapper, recommended method)
Root certificate autority (example values, but all below arguments have to be mentioned, in any order)
./build-certs --country FR --province 'Ile-de-France' --locality Paris --organization FictOrg --unit Engineers --domain 'FicOrg ROOT CA' --days 3650 --root
Intermediate certification autority (example values, but all below arguments have to be mentioned, in any order)
./build-certs --country FR --province 'Ile-de-France' --locality Paris --organization FictOrg --unit Engineers --domain 'FictOrg INT CA' --days 1825 --intermediate
Server certificate (example values, but all below arguments have to be mentioned, in any order)
./build-certs --country FR --province 'Ile-de-France' --locality Paris --organization FictOrg --unit Engineers --domain 'test.test.lan' --days 365 --server
Client certificate (example values, but all below arguments have to be mentioned, in any order)
./build-certs --country FR --province 'Ile-de-France' --locality Paris --organization FictOrg --unit Engineers --domain 'test.test.lan' --days 365 --client
Purge
Clean all files generated by the wrapper and commands (certs, ca, csr and private keys)
./build-certs --clean-files
Clean the database generated by the wrapper and commands
./build-certs --clean-database
Clean the configuration generated by the wrapper (certificates informations)
./build-certs --clean-confs
Credits
Kevin Chevreuil 2022-2023 GNU GPLv3