This documents the information needed to setup your own self-signed CA certificate.
When using the shell command to generate cert, you need to refer to its Usage and may require to pass in some config files as arguments.
Directory:
- ./templates (Contains configuration templates)
- ./examples (Contains configuration examples)
File | Description |
---|---|
ca.config | Configuration for Certificate Authority (CA) |
client.config | Configuration for Certificate Signing Request (CSR) |
openssl.config | General configuration for OpenSsl |
The output folder are as follows
File | Description |
---|---|
ca | Certificate Authority (CA) is meant to used for signing other certificates only. ie. cRLSign , keyCertSign |
client | Client certificates is verified when application sends a CSR. Its purpose should be used for serverAuth , clientAuth and codeSigning |
Each of the folder above may contain subfolders depending on the KeyUsages and configurations.
The following usages are categorized for different use cases:
For development purpose, certificate is self-signed
-
Execute the
make_*_cert.ps1
script to create a certificate to./client
folder../make_*_cert.ps1 -configPath "./../examples/client.config" -outputPath "./client"
-
Ensure all keys are valid for ca certificate using
inspect_*_cert.ps1
script../inspect_*_cert.ps1 -certPath "./ca"
For development purpose, certificate is chained from CA -> Client
-
Execute the
make_*_cert.ps1
script to create a certificate to./ca
folder../make_*_cert.ps1 -configPath "./../examples/ca.config" -outputPath "./ca"
-
Ensure all keys are valid for ca certificate using
inspect_*_cert.ps1
script../inspect_*_cert.ps1 -certPath "./ca"
-
Execute the
make_*_cert.ps1
script again to create a certificate to./client
folder../make_*_cert.ps1 -configPath "./../examples/client.config" -outputPath "./client"
-
Ensure all keys are valid for client certificate using
inspect_*_cert.ps1
script../inspect_*_cert.ps1 -certPath "./client"
-
By default, all certs generated above are self-signed. To sign the
client
certificate withca
certificate, executesign_*_cert
./sign_*_cert.ps1 -configPath "./../examples/client.config" -caPath "./ca" -clientPath "./client"
Status: Require Testing
- Execute the
renew_any_cert.ps1
script.
Only rsa scripts are ready at the moment. Directory: ./ps
File | Description |
---|---|
make_*_cert.ps1 | Creates certificate components: *.key ,*.pubkey , *.csr , *.crt |
install_*_cert.ps1 | Installs certificate into specified Trust Stores |
renew_*_cert.ps1 | Renew an old certificate for specified Trust Stores |
remove_*_cert.ps1 | Remove certificate from specified Trust Stores |
inspect_*_cert.ps1 | Inspect all components generated via make_*_cert.ps1 |
./<file.ps1>
Directory: ./cmd
./<file.cmd>
Please use bash to execute shell files. Directory: ./sh
bash /path/to/<file.sh>
File | Description |
---|---|
cert_make_sslcert.sh | Used to generate a self-signed certificate |
- Allow script (eg. powershell) to read and change the contents of a configuration (eg. ./examples/client.config) for the following addendums:
- Replace the placeholder value
<hostname>
- Change the
hostname
input parameter tohostnames
, and if multiplehostnames
are passed (ie. hostname1,hostname2) into the script, then proceed to add additional hostnames as SAN.
- Replace the placeholder value
- Do the same for cmd and sh too but focus primarily on ps.
- Google doc should explain in detail the purpose of all KeyUsage.