I use this lightweight set of scripts to manage my own internal certificate authority. I share them with you. My scripts are based off of Be your own CA and Docker CA.
Features:
- Manage a personal certificate authority.
- Server SAN certificates (Subject Alternative Name).
- Client certificates for TLS mutual authentication.
- Create Java keystores from the X.509 certificates.
System requirements
- GNU/Linux (other platforms untested)
- openssl tools installed
Execute setup_ca.sh from the current directory of the repository. When
executed this will do a few things. It will create the openssl myCA directory
structure for a managed certificate authority. All certificate authority
information and management will be located within the myCA directory.
./setup_ca.sh
Customize the subject.
./setup_ca.sh -subj '/C=US/ST=Pennsylvania/L=Philadelphia/O=Example Domain/OU=Systems/CN=Super Root CA'
CERT_DIR- the directory where the certificate authority certificates and other client/server certificates are output.REQ_OPTS- additional opts to pass to theopenssl reqcommand in a script.
e.g.
CERT_DIR="/tmp/myCA" ./setup_ca.sh
#server certificates
./server_cert.sh example.com
#client certificates
./client_cert.sh [email protected]
A new signed certificate will be placed in ./myCA/certs/ and the private key
will be in ./myCA/private/.
Issue a wildcard certificate.
bash -f ./server_cert.sh '*.example.com'
./revoke_cert.sh example.com
A new certificate revocation list (crl) will be generated. The latest is stored
in ./myCA/crl.pem and any previously published CRLs can be viewed at
./myCA/crl/crl_*.pem. A backup of the certificate and key will be maintained
in ./myCA/backup which is autocreated. The revoked certificate will be
removed from ./myCA/certs and the key will be removed from ./myCA/private.
./keystore.sh example.com
You will be prompted for a password by the script. That password will set the java keystore password.
You can populate a .env file to customize some of the options. You can change
the behavior of scripts based environment variables set. The following is an
example.
# lan_server.sh
LAN=192.168.1
# server_cert.sh
SERVER_EXPIRE_DAYS=397
# setup_ca.sh
CA_CERT_NAME="Local Certificate Authority"
CA_CERT_ORG="Gleske Internal"
CA_CERT_ORG_UNIT=Systems
CA_CERT_CITY="Garden Grove"
CA_CERT_STATE=California
CA_CERT_COUNTRY=US
# 20 years
CA_CERT_EXPIRE_DAYS=7300
# all scripts
REQ_OPTS="-batch -nodes"
CERT_DIR=./myCAHere's a few security tips if you've not managed a personal certificate authority before.
- Keep your certificate authority offline. For example, store it on an encrypted flash drive and disconnect it from your computer when you don't need to create certificates.
- If nobody else is accessing a service except you, then a personal certificate authority is arguably more trustworthy than a third party. Install your personal CA in your browsers and devices to use.
- Publish your certificate revocation list in a place where your browsers and devices can access it.
- Do not issue certificates longer than 398 days otherwise Apple devices will not recognize the certificate as valid. The default issuance has been reduced from 2 years down to 397 days. The expiration is configurable.
Using self signed certificates is always a bad idea. It's far more secure to self manage a certificate authority than it is to use self signed certificates. Running a certificate authority is easy.
In addition to the scripts in this repository, here is a short recommended list of scripts and resources for managing a certificate authority.
- The xca project provides a graphical front end to certificate authority management in openssl. It is available for Windows, Linux, and Mac OS.
- The OpenVPN project provides a nice set of scripts for managing a certificate authority as well.
- Be your own CA tutorial provides a more manual method of certificate authority management outside of scripts or UI. It provides openssl commands for certificate authority management. Additionaly, one can read up on certificate management in the SSL Certificates HOWTO at The Linux Documentation Project.
- Use my scripts in this repository which is based on option
3in this list. Supports server certs only. - Use certificate-automation which is similar to these scripts organized slightly differently. Supports client certs as well.
Once a certificate authority is self managed simply add the CA certificate to all browsers and mobile devices. Enjoy secure and validated certificates everywhere.
If a service you manage is designated for public access then self managing a certificate authority may not be the best option. Signed Domain Validated (DV) certificates should still be the preferred method to secure your public service.
- CAcert.org is a community driven certificate authority which provides free SSL certificates. Note: See the inclusion page to see which applications and distros include the cacert.org root certificates.
- Let's Encrypt is a free, automated, and open Certificate Authority.