blob: 324619b680887a7875ec31ae15af29685c3ff4e8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
#!/bin/bash
set -e
rm -rf --one-file-system ca certs
mkdir -p ca/root-ca/private ca/root-ca/db crl certs
chmod 700 ca/root-ca/private
cp /dev/null ca/root-ca/db/root-ca.db
cp /dev/null ca/root-ca/db/root-ca.db.attr
echo 01 > ca/root-ca/db/root-ca.crt.srl
echo 01 > ca/root-ca/db/root-ca.crl.srl
CA=root-ca openssl req -new \
-config etc/ca-ssl.conf \
-out ca/root-ca.csr \
-keyout ca/root-ca/private/root-ca.key
CA=root-ca openssl ca -batch -name root_ca -selfsign \
-config etc/ca-ssl.conf \
-in ca/root-ca.csr \
-out ca/root-ca.crt \
-extensions root_ca_ext
mkdir -p ca/signing-ca/private ca/signing-ca/db crl certs
chmod 700 ca/signing-ca/private
cp /dev/null ca/signing-ca/db/signing-ca.db
cp /dev/null ca/signing-ca/db/signing-ca.db.attr
echo 01 > ca/signing-ca/db/signing-ca.crt.srl
echo 01 > ca/signing-ca/db/signing-ca.crl.srl
CA=signing-ca openssl req -new \
-config etc/ca-ssl.conf \
-out ca/signing-ca.csr \
-keyout ca/signing-ca/private/signing-ca.key
CA=root-ca openssl ca -batch -name root_ca \
-config etc/ca-ssl.conf \
-in ca/signing-ca.csr \
-out ca/signing-ca.crt \
-extensions signing_ca_ext
SAN=DNS:test.local \
CN=test.local \
openssl req -new \
-config etc/server-ssl.conf \
-out /tmp/nginx.csr \
-keyout /tmp/nginx.key
CA=signing-ca openssl ca -batch -name signing_ca \
-config etc/ca-ssl.conf \
-in /tmp/nginx.csr \
-out /tmp/nginx.crt \
-extensions server_ext
cat /tmp/nginx.crt ca/signing-ca.crt ca/root-ca.crt > /tmp/nginx.chain
sudo systemctl restart nginx
curl -Ss https://test.local --cacert ca/root-ca.crt
exit 0
openssl ca \
-config etc/ca-ssl.conf \
-revoke ca/signing-ca/01.pem \
-crl_reason superseded
|