#set -e -u FQDN="127.0.0.1" DIR=./etc/certs2 echo "Creating keys for $FQDN" # make directories to work from mkdir -p $DIR/client mkdir -p $DIR/ca mkdir -p $DIR/tmp mkdir -p $DIR/server # Create your very own Root Certificate Authority openssl genrsa -out $DIR/ca/root-ca.key.pem 2048 # Self-sign your Root Certificate Authority # Since this is private, the details can be as bogus as you like openssl req -x509 -new -nodes -key $DIR/ca/root-ca.key.pem -days 3652 -out $DIR/ca/root-ca.crt.pem -subj "/C=AU/ST=NSW/L=Sydney/O=Apigeek Signing Authority/CN=example.com" # Create a Device Certificate for each domain, # such as example.com, *.example.com, awesome.example.com # NOTE: You MUST match CN to the domain name or ip address you want to use openssl genrsa -out $DIR/server/server.key.pem 2048 # Create a request from your Device, which your Root CA will sign openssl req -new -key $DIR/server/server.key.pem -out $DIR/tmp/server.csr.pem -subj "/C=AU/ST=NSW/L=Sydney/O=Apigeek Service/CN=${FQDN}" # Sign the request from Device with your Root CA # -CAserial $DIR/ca/root-ca.srl openssl x509 -req -in $DIR/tmp/server.csr.pem -CA $DIR/ca/root-ca.crt.pem -CAkey $DIR/ca/root-ca.key.pem -CAcreateserial -out $DIR/server/server.crt.pem -days 1095 # Create a public key, for funzies #openssl rsa # -in $DIR/server/server.key.pem # -pubout -out $DIR/client/server.pub # # # Create a Device Certificate for each trusted client # such as example.net, *.example.net, awesome.example.net # NOTE: You MUST match CN to the domain name or ip address you want to use openssl genrsa -out $DIR/client/app-client.key.pem 2048 # Create a trusted client cert openssl req -new -key $DIR/client/app-client.key.pem -out $DIR/tmp/app-client.csr.pem -subj "/C=AU/ST=NSW/L=Sydney/O=Apigeek App Client/CN=client.example.net" # Sign the request from Trusted Client with your Root CA # -CAserial $DIR/ca/root-ca.srl openssl x509 -req -in $DIR/tmp/app-client.csr.pem -CA $DIR/ca/root-ca.crt.pem -CAkey $DIR/ca/root-ca.key.pem -CAcreateserial -out $DIR/client/app-client.crt.pem -days 1095 # FAKE CLIENT openssl genrsa -out $DIR/client/fake-client.key.pem 2048 # Create a trusted client cert openssl req -new -key $DIR/client/fake-client.key.pem -out $DIR/tmp/fake-client.csr.pem -subj "/C=AU/ST=NSW/L=Sydney/O=Fake Client/CN=fake.com" # Sign the request from Trusted Client with your Root CA openssl x509 -req -in $DIR/tmp/fake-client.csr.pem -CA $DIR/ca/root-ca.crt.pem -CAkey $DIR/ca/root-ca.key.pem -CAcreateserial -out $DIR/client/fake-client.crt.pem -days 1095 # EXPIRED CLIENT openssl genrsa -out $DIR/client/expired-client.key.pem 2048 # Sign the request from Trusted Client with your Root CA openssl x509 -req -in $DIR/tmp/app-client.csr.pem -CA $DIR/ca/root-ca.crt.pem -CAkey $DIR/ca/root-ca.key.pem -CAcreateserial -out $DIR/client/expired-client.crt.pem -days 1 # Needed for Safari, Chrome, and other Apps in OS X Keychain Access echo "" echo "" echo "You must create a p12 passphrase. Consider using 'secret' for testing and demo purposes." openssl pkcs12 -export -in $DIR/client/app-client.crt.pem -inkey $DIR/client/app-client.key.pem -out $DIR/client/app-client.p12 echo "" echo "" # Create a public key, for funzies #openssl rsa # -in $DIR/client/app-client.key.pem # -pubout -out $DIR/client/app-client.pub # Put things in their proper place #rsync -a $DIR/ca/root-ca.crt.pem $DIR/server/ #rsync -a $DIR/ca/root-ca.crt.pem $DIR/client/ # #if [ -n "which tree | grep tree" ]; then # tree $DIR/ #else # find $DIR/ #fi echo "" echo "" echo "Remember to open $DIR/client/root-ca.crt.pem and $DIR/client/app-client.p12" echo "in Keychain Access on OS X / iOS if you wish to test your site with Safari, Chrome, etc" echo ""