This is my CA.
I am creating and using quite a lot of certificates in my day job and finally I got tired of always creating new certificate and trusting it and so on.
In certificate-directory there is the CA certificate.
Key is also included because I am not really a Certificate Authority and I don’t mind if certificates created with my CA starts to appear anywhere in the globe.
Add CA-certificate as trusted in RHEL-based Linux:
-
Copy certificate to
/etc/pki/ca-trust/source/anchors/
directory. -
Then update ca-certificates:
update-ca-trust extract
-
View certificate using:
openssl x509 -in ca.crt -text -noout
The script create-certificate.sh is used to create new certificates signed by my CA.
sh create-certificate.sh -c <CN> [-f filename] [san1 san2 san3 ...]
where:
-
CN - the common name.
-
san1, san2, … - Subject Alternative Name. Required list of one or more SANs.
-
filename - optional filename. Default filename is certificate. Note that existing files are overwritten without warning.
Command help:
Create certificates using CA.
Usage: /usr/local/bin/create-certificate.sh -c <CN> [-f <filename>] [<options>] <DNS SAN> [<DNS SAN> ...]
Options:
-h - This help.
-c - Certificate Common Name (CN).
-f <filename> - Filename, without extension, for the certificate and key (default: certificate).
-I "IP1 [IP2 ...]" - IP addresses to add as IP SAN.
-p - Print key and certificate files to system out.
-P - Print base64 encoded key and certificate to system out.
-v - View the certificate in the given file.
Note: SAN=Subject Alternative Name
Docker container is available.
-
Run:
docker run -it --rm kazhar/certificate-authority
#with local volume, certificates are created in certs-directory
docker run -it --rm -v ./certs:/ca/certs kazhar/certificate-authority
-
Create certificates inside container:
create-certificate.sh -c "Subject Name" -f mycertfile san1 san2
Create certificate for server web.myhome.local.
sh create-certificate.sh -c "My Home" web.myhome.local
Certificate file certificate.crt and key file certificate.key are created.
Decoded certificate looks similar to this:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Sami, C=FI, O=Salkosuo
Validity
Not Before: Feb 13 12:09:51 2023 GMT
Not After : Nov 9 12:09:51 2025 GMT
Subject: CN=My Home
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
. . .
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:web.myhome.local
. . .
Create certificate for image registry registry.myoffice.net that is also called using registry.dept1.net and secure-images.dept1.dev.
sh create-certificate.sh -f registry.myoffice.net -c "My Office" registry.myoffice.net registry.dept1.net secure-images.dept1.dev
Certificate file registry.myoffice.net.crt and key file registry.myoffice.net.key are created. Common Name is My Office.
Decoded certificate looks similar to this:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6 (0x6)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Sami, C = FI, O = Salkosuo
Validity
Not Before: Feb 13 12:15:43 2023 GMT
Not After : Nov 9 12:15:43 2025 GMT
Subject: CN = My Office
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
. . .
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:registry.myoffice.net, DNS:registry.dept1.net, DNS:secure-images.dept1.dev
. . .