habnabit / ca-template Goto Github PK

This is a super simple template for an OpenSSL CA git repository!

To set it up:

$ ./init.sh
$ git commit

and fill in the DN fields for the CA's certificate. Your CA's certificate will be written to ca.crt.pem. To then sign a CSR as a server certificate:

$ cp /path/to/some.csr.pem incoming
$ ./sign.sh servers incoming/some.csr.pem
$ git add .
$ git commit

Signing a CSR as a client/e-mail certificate instead only requires one change:

$ ./sign.sh clients incoming/some.csr.pem

The signing script can take whatever arguments openssl ca takes, so to force a particular subject and issue a certificate for a particular number of days:

$ ./sign.sh clients incoming/some.csr.pem -subj '/CN=example.com' -days 30

By default, the policy in ca.cnf will only copy the commonName and emailAddress DN fields from the CSR, if either exists. This is customizable by editing the policy_default section of ca.cnf. More information about policies and the ca.cnf file in general can be found in the openssl ca documentation as well.