Useful OpenSSL Scripts

These scripts are based off the default scripts included with the OpenSSL ipkg distribution.
I have modified them to make basic key management a little easier, but all assume you have the default .cnf files which come with the package.


ca.cnf, server.cnf and client.cnf files have [certificate_authority], [server] and [client] sections respectively.  All of them have the following sections, which should be edited to be the same, as follows:

countryName            =   <Your country - i.e. UK>
stateOrProvinceName    =   <Your state/county - i.e. Aberdeenshire>
localityName           =   <Your city/locale - i.e. Aberdeen>
organizationName       =   <Your organisation or CA name - i.e. MyPrivateCA>
Note that for ALL examples, the angle brackets (<>) are NOT required and should not be supplied)

For ca.cnf and any server.cnf files, you can set: 

emailAddress            = <your admin email address - i.e.>

However, the commonName variable for both should be descriptive of the certificate to be created. i.e. in ca.cnf you should have :

commonName              = "<Your CA descriptive name - i.e. My Private CA> - the speech marks are required"

But for any server.cnf file, you should describe the server name and function, i.e.:

commonName              = <Your server name/purpose i.e. My Company RADIUS Server> - the speech marks are required"

client.cnf files should contain the email address of the client user, and their given name, i.e. :

emailAddress            = <Clients email address - i.e.>
commonName              = <Clients common name, i.e. Bob Smith>

I would recommend you create a templates directory and copy ca, server and client.cnf files to it once you have done the basic editing.  This will save you retyping most of it each time you create a new certificate.


NOTE: Before you run any of these scripts, ensure you edit the relevant/referenced .cnf files - otherwise all your default passwords will be "whatever".  The lines to change are in the [req] section of each file, and labelled:

input_password             = whatever
output_password            = whatever

Also, note that due to HTML text wrapping, you may encounter some issues if copying/pasting these scripts - so they are included in .tar.gz format at the end of this page. - this script will generate a new CA and all relevant files

# Build CA
echo Building CA...(you may be required to enter your CA password one or more times)
openssl req -new -x509 -keyout ca.key -out ca.pem -days 1825 -config ./ca.cnf

openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
echo Done.

This will generate your CA keyfile (ca.key), certificate file (ca.pem) and exportable certificate for client computers (ca.der) valid for 1825 days (5 years).
You should copy the ca.der file ready for distribution to client computers, and rename it as you see fit. - this script will build a certificate for a server (including Windows extensions) and sign it.

# Make Server Certificate
echo Making Server Certificate...(you may be required to enter your CA password one or more times)
openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 -config ./server.cnf
openssl ca -config ./ca.cnf -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile ./xpextensions -infiles ./server_req.pem
echo Open your signed certificate with the text editor of your choice
echo and delete everything before the line -----BEGIN CERTIFICATE-----
echo then run

This will generate a server key (server_key.pem), and server signing request (server_req.pem), signed certificate (server_cert.pem) valid for 2 years. - this script simply concatenates the server key and server certificate, assuming you've edited it as directed by the previous script

# Concatenate Server Key & Certificate
echo Concatenating Server Key & Certificate...
cat server_key.pem server_cert.pem > server_keycert.pem
echo Done.

You can now take the combined server_keycert.pem file for use on any server.  You do NOT need to run this if you choose to supply the server key as a configuration item in your chosen deployment application (i.e. FreeRADIUS allows you to use a combined key and certificate file OR a certificate file with a user supplied key in the FreeRADIUS configuration file.  Use as necessary. - this script takes a value (i.e. ./ bob - assuming client.cnf has been copied to bob.cnf)
# Make Client
echo Making Client Certificate (you may be required to enter your CA password one or more times)
openssl req -new -keyout $1_key.pem -out $1_req.pem -days 730 -config ./$1.cnf
openssl ca -config ./ca.cnf -policy policy_anything -out $1_cert.pem -extensions xpclient_ext -extfile ./xpextensions -infiles ./$1_req.pem
openssl pkcs12 -export -in $1_cert.pem -inkey $1_key.pem -out $1_cert.p12 -clcerts
echo Done.

Assuming you ran this for "bob" (i.e. bob.cnf), this would give you Bob's key (bob_key.key), signing request (bob_req.pem), which will then be signed, resulting in the certificate (bob_cert.pem) and exportable certificate for use with Windows clients (bob_cert.p12).  You should distribute the .p12 and ca.der files to the client for use. The client can install them by double clicking on them, but must provide the relevant password (as specified in client.cnf file) to import their client specific certificate. - this script takes a value (i.e. ./ bob - assuming bob_cert.pem exists - it will if created with the scripts above)

# Revoke
echo Revoking selected certificate (you may be required to enter your CA password one or more times)
openssl ca -revoke $1_cert.pem -keyfile ca.key -cert ca.pem -config ./ca.cnf
echo Done.
echo - this will generate a combined CA certificate and CRL file - useful with things such as FreeRADIUS.

# MakeCRL
echo Generating CRL (you may be required to enter your CA password one or more times)
openssl ca -gencrl -keyfile ca.key -cert ca.pem -out mycrl.pem -config ca.cnf
cat ca.pem mycrl.pem > ca_and_crl.pem
echo Done.

This will output a CRL file (mycrl.pem) and the combined CA certificate and CRL file (ca_and_crl.pem).

I hope the above has helped someone! If you (re)use any of the information contained on this (or any other of this sites) page(s), please include a link back here! :)
Peter Truman,
21 Aug 2010, 04:00