Simple file based Certificate Authority with OpenSSL.

This is a simple certificate authority based and build around the materials offered by e.g. Jamie Linux.

Before using this also have a look at e.g. CFSSL. The scripts contained in this repository are a showcase/local development setup implementation of an TLS Certificate Authority setup only.

The shell script template used for the generator scripts is the MIT licensed script-template.sh by Maciej Radzikowski.

• bash scripting environment
• OpenSSL SSL implementation: This script requires OpenSSL and not one of the other implementations such as LibreSSL.
• ssh SSH implementation

Install OpenSSL via e.g. Homebrew – macOS ships with LibreSSL which is not supported. The path at which the OpenSSL binary is located can be found with:

$ brew info openssl@3
# Documentation and Caveats...
If you need to have openssl@3 first in your PATH, run:
  echo 'export PATH="/usr/local/opt/openssl@3/bin:$PATH"' >> /Users/ng/.bash_profile
# ...
# This means that openssl should be available at /usr/local/opt/openssl@3/bin/openssl
$ /usr/local/opt/openssl@3/bin/openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)

You can now invoke the scripts with the -l /usr/local/opt/openssl@3/bin/openssl parameter.

Hint: the older OpenSSL 1.1 can also be used and works exactly the same.

Additionally, a GNU compatible date binary is required, for example available via:

$ brew info coreutils
# Documentation and Caveats...
If you need to use these commands with their normal names, you can add a "gnubin" directory to your PATH with:
  PATH="/usr/local/opt/coreutils/libexec/gnubin:$PATH"
# ...
# This means that date should be available at /usr/local/opt/coreutils/libexec/gnubin/date
$ /usr/local/opt/coreutils/libexec/gnubin/date --version
date (GNU coreutils) 9.0

If you don't want to put this permanently onto your path you can simply prefix any ./scripts/*.sh invocations with PATH="/usr/local/opt/coreutils/libexec/gnubin:$PATH", i.e.:

$ PATH="/usr/local/opt/coreutils/libexec/gnubin:$PATH" ./scripts/host-certificate.sh

• For a Bash based environment it is easiest to use Git for Windows
  • make sure to select the Windows Terminal Profile Fragment during installation for a better user experience later on
  • also make sure to use the Windows Secure Channel library if you plan on rolling out certificates to your machine otherwise you'll have to manually patch the bundled certificate bundle
  • make sure to use "Checkout as-is, commit as-is" to not break line endings of existing files
  • this includes a compatible OpenSSH and a compatible OpenSSL version by default
• Instead of using the MinTTY console installed by Git consider use Windows Terminal instead for a better user experience
• For a simple installation consider using Scoop

Check the help for details on how to use this script and what options are available.

./scripts/host-generator.sh --help
./scripts/intermediate-generator.sh --help
./scripts/ssh-generator.sh --help
./scripts/host-certificate.sh --help

HINT: Instead of using the parameters -p and -w to provide passwords inline you can also use the following environment variables: SIMPLE_CA_ROOT_PASSWORD, SIMPLE_CA_INTERMEDIATE_PASSWORD, SIMPLE_CA_SSH_PASSWORD

A secondary root_env.cnf exists that can also be used if instead of putting fixed values into a OpenSSH config file you want to supply configuration values as environment variables.

1. Adapt the configuration files in the config folder to your needs by changing the values in the [ req_distinguished_name ] section
2. Generate a root certificate authority:

   ./scripts/root-generator.sh -p 'rootpassword' -c ./config/root.cnf -d ./data -n 'root-ca-name'

3. Generate an intermediate certificate authority:

   ./scripts/intermediate-generator.sh -r ./data/root-ca-name \
   -w 'rootpassword' -g ./config/root.cnf \
   -p 'intermediatepassword' -c ./config/intermediate.cnf \
   -d ./data \
   -n 'intermediate-ca-name'

4. Generate an SSH certificate authority:

   ./scripts/ssh-generator.sh -d ./data -n 'ssh-ca' -p 'sshpassword'

Once the initial setup is complete you can start generating host/client certificates to be used based around the root and intermediate certificate authorities:

./scripts/host-certificate.sh -c ./config/intermediate.cnf -d ./data/intermediate-ca-name \
 -p 'intermediatepassword' \
 -n 'host cname' \
 -t 'altname,altname.local' \
 --client --server

Don't forget to read the documentation via --help to see what other flags and settings can be specified.