Certificate Authority

This is my CA.

I am creating and using quite a lot of certificates in my day job and finally I got tired of always creating new certificate and trusting it and so on.

CA certificate

In certificate-directory there is the CA certificate.

Key is also included because I am not really a Certificate Authority and I don’t mind if certificates created with my CA starts to appear anywhere in the globe.

Add CA-certificate as trusted in RHEL-based Linux:

• Copy certificate to /etc/pki/ca-trust/source/anchors/ directory.

• Then update ca-certificates:

update-ca-trust extract

• View certificate using:

openssl x509 -in ca.crt -text -noout

Create certificates

The script create-certificate.sh is used to create new certificates signed by my CA.

sh create-certificate.sh -c <CN> [-f filename] [san1 san2 san3 ...]

where:

• CN - the common name.

• san1, san2, …​ - Subject Alternative Name. Required list of one or more SANs.

• filename - optional filename. Default filename is certificate. Note that existing files are overwritten without warning.

Command help:

Create certificates using CA.

Usage: /usr/local/bin/create-certificate.sh -c <CN> [-f <filename>] [<options>] <DNS SAN> [<DNS SAN> ...]

Options:
 -h                   - This help.
 -c                   - Certificate Common Name (CN).
 -f <filename>        - Filename, without extension, for the certificate and key (default: certificate).
 -I "IP1 [IP2 ...]" - IP addresses to add as IP SAN.
 -p                   - Print key and certificate files to system out.
 -P                   - Print base64 encoded key and certificate to system out.
 -v                   - View the certificate in the given file.

Note: SAN=Subject Alternative Name

Docker

Docker container is available.

• Run:

docker run -it --rm kazhar/certificate-authority

#with local volume, certificates are created in certs-directory
docker run -it --rm -v ./certs:/ca/certs kazhar/certificate-authority

• Create certificates inside container:

create-certificate.sh -c "Subject Name" -f mycertfile san1 san2

Examples

Create certificate for server web.myhome.local.

sh create-certificate.sh -c "My Home" web.myhome.local

Certificate file certificate.crt and key file certificate.key are created.

Decoded certificate looks similar to this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5 (0x5)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Sami, C=FI, O=Salkosuo
        Validity
            Not Before: Feb 13 12:09:51 2023 GMT
            Not After : Nov  9 12:09:51 2025 GMT
        Subject: CN=My Home
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                . . .
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:web.myhome.local
    . . .

Create certificate for image registry registry.myoffice.net that is also called using registry.dept1.net and secure-images.dept1.dev.

sh create-certificate.sh -f registry.myoffice.net -c "My Office" registry.myoffice.net registry.dept1.net secure-images.dept1.dev

Certificate file registry.myoffice.net.crt and key file registry.myoffice.net.key are created. Common Name is My Office.

Decoded certificate looks similar to this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6 (0x6)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Sami, C = FI, O = Salkosuo
        Validity
            Not Before: Feb 13 12:15:43 2023 GMT
            Not After : Nov  9 12:15:43 2025 GMT
        Subject: CN = My Office
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                . . .
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:registry.myoffice.net, DNS:registry.dept1.net, DNS:secure-images.dept1.dev
    . . .