Shell scripts to manage a private Certificate Authority using OpenSSL
Notice: If you are looking for a way to use SSL certs on public host addresses, please consider using Let's Encrypt project! It's free, it's automated and is already trused by common browsers so you won't have to manipulate user's certificates chain of trust. For private addresses (ie: myhost
, myhost.mydomain
, 10.0.0.1
, etc) Let's Encrypt won't help you so this project could be very useful.
Tired of really-complicated-stuff on internet about how to create and maintain self-managed certificates? Me too! That's why I've created this simple project to:
rsa
/sha256
/2048
bits keys) via a config file (openssl.conf
)create_ca_key.sh
) to create your own Certificate Authority to sign certificatescreate_csr.sh
) to create keys and certificate signing requests (CSR) for your appssign_csr.sh
) to sign your CSRscreate_crt.sh
) to perform (3) and (4) in one step.create_ca_key.sh
to create your root CA certificate and private key. The root CA certificate will be stored on the ./CA
folder named ca.crt
and the private key will be stored in ./CA/private/ca.key
. You should call this script only once, as it will overwrite any existing CA key and CA certificate already present on the repo.create_crt.sh <app_name>
. The key, CSR and certificate generated will be stored as ./out/<app_name>.<key|csr|crt>
../CA/ca.crt
onto your local storage of trusted certificates (on Ubuntu this can be done by copying the file to /usr/local/share/ca-certificates/
and running update-ca-certificates
). The nice thing is that what you are really doing is to build your own chain of trust, managed by you.Warning: Adding ca.crt
to your list of trusted CA means that your PC will trust any certificate signed by ./CA/private/ca.key
. This could be used to impersonate any website on PCs that trust this cert so keep this key private!! (Ideally offline)
The openssl.conf
file manages various defaults for cert creation. I tried to not include insane parameters but you should really look them to check if those match your definition of sanity.
It is also possible to uncomment the Defaults (under the req_distinguished_name
section) if you want to save some keystrokes by pre-completing some boring cert fields.