User:Int 80h/files/SSL Makefile
Appearance
< User:Int 80h | files
SSL Makefile
[edit]This Makefile makes creating SSL certificates easier.
Dependencies are OpenSSL and automake.
Just copy the code into a file called Makefile and run make help in that direktory to get some help and get started.
# Makefile to create new CA and application keys more easily
have_cnf:=$(wildcard server.cnf)
have_cacnf:=$(wildcard ca.cnf)
all: server.key.nopass server.crt
# make new CA key and certificate
newca:
-rm ca.*
make ca.crt
# make new server certificate and key
newserver: clean
make all
# sign a certificate
sign: server.crt.signed
# make PEMs
pem: server.pem server.pem.nopass
# create unencrypted server key
server.key.nopass: server.key
openssl rsa -in $< -out $@
# create server certificate with CA
server.crt.signed: server.csr ca.crt ca.key
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out $@
@echo -e " *\n * Serial number needs to be updated, whenever certificate is created anew!\n *"
# create self signed server certificate
server.crt: server.csr server.key
openssl x509 -req -days 365 -in $< -signkey server.key -out $@
# create server signing request
ifeq ($(strip $(have_cnf)),)
server.csr: server.key
openssl req -new -key $< -out $@
echo "nein"
else
server.csr: server.key server.cnf
openssl req -new -key $< -out $@ -config server.cnf
echo "ja"
endif
# generate server key
server.key:
openssl genrsa -des3 -out $@ 4096
# create pem
server.pem: server.crt server.key
cat server.crt server.key > $@
openssl dhparam -2 >> $@
# create unencrypted pem
server.pem.nopass: server.crt server.key.nopass
cat server.crt server.key.nopass > $@
openssl dhparam -2 >> $@
# create CA certificate
ifeq ($(strip $(have_cacnf)),)
ca.crt: ca.key
openssl req -new -x509 -days 365 -key $< -out $@
else
ca.crt: ca.key ca.cnf
openssl req -new -x509 -days 365 -key $< -out $@ -config ca.cnf
endif
# generate CA key
ca.key:
openssl genrsa -des3 -out $@ 4096
# delete everything
clean:
-rm server.crt server.csr server.key server.key.nopass server.pem server.pem.nopass
paranoia:
-shred -zuv server.crt server.csr server.key server.key.nopass server.pem server.pem.nopass
help:
@echo -e "Usage: make [newca | newserver | pem | sign | help]\n"
@echo -e " (no arguments): creates CA files and a server certificate"
@echo -e " newca: recreates CA files"
@echo -e " newserver: recreates server certificate files"
@echo -e " pem: create PEM files"
@echo -e " sign: make CA signed certificate"
@echo -e " help: shows this help"
Signed certificates with self made CA
[edit]I recommend not signing the certificates with an own CA cert. Some browsers refuse to accept that certificate, and in case of Firefox, it doesn't even allow to make an exception and use it anyway.
It simply won't work.
It's preferable to use a self-signed certificate in case for testing, and in case a CA signed certificate is not needed.
Using a cnf
[edit]I suggest using a server.cnf when making multiple certificates. The file accept one ca.cnf and a server.cnf, for CA certificates and server certificates, respectively.