Browse Source

Sign certificates with custom root CA

This simplifies the development because only the root CA has to be
trusted in the browser.
remove-logs
Andreas Linz 3 years ago
parent
commit
0512b6f1ae
4 changed files with 127 additions and 92 deletions
  1. +76
    -0
      generate-dev-certs.sh
  2. +0
    -43
      generate-self-signed-cert.sh
  3. +25
    -23
      roles/caddy/files/klingt.vnet.crt
  4. +26
    -26
      roles/caddy/files/klingt.vnet.key

+ 76
- 0
generate-dev-certs.sh View File

@ -0,0 +1,76 @@
#!/bin/bash
set -euo pipefail
years=3
domain='klingt.vnet'
cert_out_path='./roles/caddy/files'
root_out_path="${HOME}/.ssl"
csr_cnf_file="$(mktemp)"
v3_ext_file="$(mktemp)"
[[ ! -e "${root_out_path}/root-ca.key" ]] &&\
openssl genrsa\
-out "${root_out_path}/root-ca.key"\
2048
cat <<HEREDOC > "${csr_cnf_file}"
[req]
default_bits=2048
prompt=no
default_md=sha256
distinguished_name=dn
[dn]
C=DE
ST=Leipzig
L=Saxony
O=klingt.vnet
OU=klingt.vnet
emailAddress=admin@klingt.vnet
CN=klingt.vnet
HEREDOC
[[ ! -e "${root_out_path}/root-ca.pem" ]] &&\
openssl req\
-x509\
-new\
-nodes\
-key "${root_out_path}/root-ca.key"\
-sha256\
-days $((365 * $years))\
-out "${root_out_path}/root-ca.pem"\
-config <(cat "${csr_cnf_file}")
cat <<HEREDOC > "${v3_ext_file}"
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = klingt.vnet
DNS.2 = *.klingt.vnet
HEREDOC
openssl req\
-new\
-sha256\
-nodes\
-out "${cert_out_path}/${domain}.csr"\
-newkey rsa:2048\
-keyout "${cert_out_path}/${domain}.key"\
-config <(cat "${csr_cnf_file}")
openssl x509\
-req\
-in "${cert_out_path}/${domain}.csr"\
-CA "${root_out_path}/root-ca.pem"\
-CAkey "${root_out_path}/root-ca.key"\
-CAcreateserial\
-out "${cert_out_path}/${domain}.crt"\
-days $((365 * $years))\
-sha256\
-extfile "${v3_ext_file}"
rm "${csr_cnf_file}" "${v3_ext_file}" "${cert_out_path}/${domain}.csr"

+ 0
- 43
generate-self-signed-cert.sh View File

@ -1,43 +0,0 @@
#!/bin/bash
# Setting SubjectAltName (SAN) is required since Firefox 48 and Chrome 58
# https://bugzilla.mozilla.org/show_bug.cgi?id=1245280
# https://www.chromestatus.com/feature/4981025180483584
set -euo pipefail
_DOMAIN='klingt.vnet'
_KEYSIZE=2048
_SAN="DNS:*.$_DOMAIN"
_KEYFILE="./roles/caddy/files/$_DOMAIN.key"
_CERTFILE="./roles/caddy/files/$_DOMAIN.crt"
TMP_CONF="$(mktemp openssl.XXXXXX)"
echo "Temporary configuration is stored in $TMP_CONF"
cat /etc/ssl/openssl.cnf >> "$TMP_CONF"
cat <<HEREDOC>> "$TMP_CONF"
[ san ]
subjectAltName="$_SAN"
HEREDOC
openssl req\
-x509\
-sha256\
-nodes\
-newkey rsa:$_KEYSIZE\
-days $((365*3))\
-reqexts san\
-extensions san\
-subj "/CN=$_DOMAIN"\
-config "$TMP_CONF"\
-keyout "$_KEYFILE"\
-out "$_CERTFILE"
openssl dhparam $_KEYSIZE >> "./roles/caddy/files/$_DOMAIN.crt"
cat <<HEREDOC
Keyfile: $_KEYFILE
Certfile: $_CERTFILE
Removing $TMP_CONF ...
HEREDOC
rm "$TMP_CONF"

+ 25
- 23
roles/caddy/files/klingt.vnet.crt View File

@ -1,25 +1,27 @@
-----BEGIN CERTIFICATE-----
MIICyzCCAbOgAwIBAgIJAOS60VRhunkdMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
BAMMC2tsaW5ndC52bmV0MB4XDTE3MDkyNTE5NTMxMVoXDTIwMDkyNDE5NTMxMVow
FjEUMBIGA1UEAwwLa2xpbmd0LnZuZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDll5h8cY471WfoHooMkmSGCyGjB/SIz4qNqV12AV4QAjgBQejiV/J1
GkJ8gde32KQNlgkKaLNOzDr3mCGARFROiiNozgXZcqhHUNn9MYoSseBKpn1o5JQx
NuIESf3BUCYMNJhqzlNBz5AeLSumqIzaAG3OCco8EGQpYmsB4cXUzR5WEwvloV0A
W0XpWmwlW4qxtqStZ0qRL3l6Zb62pV7rFaqns1wm7/FKqzVqD4Wz5xzrVF0N/urg
xQUdNY7MUpg/CesxKs1goQKh8NH9CNy4dDydNV0KUwjrIuf30InRa9c8iXr9B98F
6mfetyIQRkBbFW/jI6vJ465bRjksoCFBAgMBAAGjHDAaMBgGA1UdEQQRMA+CDSou
a2xpbmd0LnZuZXQwDQYJKoZIhvcNAQELBQADggEBAGtX6NcHKF26UliB0PEFoLj7
eqctO6sXQO4o7bWFxRDIbjfLHANfomZH0ckWVeJ/VOhlZDOOpukujo7QJ+6r0Nx5
pFUPf4H+lYTgq8zwHqylLCip5q3aGMDHAk3KwoiGsg7x2zgfAi+JU547MWS1WxPq
hFHsOYf96LqP2s66BK4ztu44xJRtt140sQ2iIRQn0hqlaxmL35E3EMU0gG6A5HeH
0lT4J9LkufGw54Mvmf1rREzyQbJcSf20NE0P/vkNfKVKVeI4xzyJ16noGV16Bqk/
TS2jR+Ie7QmZGEh8cvPJCwDpzct6W2riHLF5LeRMtBF5KHw2jXoo92Vnc1i5Ruo=
MIIEpjCCA46gAwIBAgIJANb8oRZDDmOkMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
VQQGEwJERTEQMA4GA1UECAwHTGVpcHppZzEPMA0GA1UEBwwGU2F4b255MRQwEgYD
VQQKDAtrbGluZ3Qudm5ldDEUMBIGA1UECwwLa2xpbmd0LnZuZXQxIDAeBgkqhkiG
9w0BCQEWEWFkbWluQGtsaW5ndC52bmV0MRQwEgYDVQQDDAtrbGluZ3Qudm5ldDAe
Fw0xNzA5MzAyMjU1MDVaFw0yMDA5MjkyMjU1MDVaMIGUMQswCQYDVQQGEwJERTEQ
MA4GA1UECAwHTGVpcHppZzEPMA0GA1UEBwwGU2F4b255MRQwEgYDVQQKDAtrbGlu
Z3Qudm5ldDEUMBIGA1UECwwLa2xpbmd0LnZuZXQxIDAeBgkqhkiG9w0BCQEWEWFk
bWluQGtsaW5ndC52bmV0MRQwEgYDVQQDDAtrbGluZ3Qudm5ldDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMNMupESJPQgvHdzg+Fzw5OFqT2aJ3D6dWjj
GQ0FxMWP6U80PUp21odfydIYv478jEpuP0IMa+hK2Q6CiS8u37gS7pN3dmVu3PK7
VsxnqGvI0SvjsVPtBvuh7/+UDWjQ4t45rJdhsSQjz0raxrpjg8cE5uJvuALfDuZq
8eLRXMJVTYPfvtrk7SV+CCjhYxVbnBOEzhss59GNYiUIStOGSNEAsHE31oxjoL+M
1lvWNT1Qr6Lx3YPgcNq7k+OG+nb1XTWSD225KR34l9kjdC/N7d0+gJTuTSsD6vsa
kEYMCmAqo/kMLCHk2kNu2h8gN2AtD/MVp1qUWnDJ9aO/78Nu2ZMCAwEAAaOB+DCB
9TCBswYDVR0jBIGrMIGooYGapIGXMIGUMQswCQYDVQQGEwJERTEQMA4GA1UECAwH
TGVpcHppZzEPMA0GA1UEBwwGU2F4b255MRQwEgYDVQQKDAtrbGluZ3Qudm5ldDEU
MBIGA1UECwwLa2xpbmd0LnZuZXQxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGtsaW5n
dC52bmV0MRQwEgYDVQQDDAtrbGluZ3Qudm5ldIIJAL1O4wLIZJ8RMAkGA1UdEwQC
MAAwCwYDVR0PBAQDAgTwMCUGA1UdEQQeMByCC2tsaW5ndC52bmV0gg0qLmtsaW5n
dC52bmV0MA0GCSqGSIb3DQEBCwUAA4IBAQArWc+sebMRNTuxjgDLI/DRal2qai7F
YlnaUmgFOojxIOfJcUZigI4Cx6dMeRsmyyxBMhlyajuUh+Y2pL4IGXgJonkoRXGk
ZCTom6z0uqBvBihtka1vsA32W7wVH4ryMb4aHuwav036zTuEMO+OCGKYW3u/7VtP
szAmF+MV7BKQZQX8d9whkZDJhP3XJEwP9WJQHJxW1g5dUUrdXzAbMXrhNXEcHKJE
N1yJFkkDU8korJlu7uPsZSH0Fc819ju5DlxJ/SkS374mwNXb/lz7DrQlO57b3M8k
wsLcZXJE9/x/N8DHBh1eUAN2Kgj+VH082Ax7zEDUkC5w2/Pre7t9MHvL
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA5f4cWZi9hJWPPBFhT/i2v1bQa9Td3zAKf/+FcstB1SZ49oOsZW/P
V1CX036goMnGaTAcNd2OM4Zn3oBnl/dNIvtyHf8W9vh0vcB/2rXfpTTjQLZg9roa
wnZJvIEVMnrdlfjtUT3DDGTkpGGdoafh8+GFGHYpA3bK8EfbGQysruBMxwtwLdpq
NuRwVJTPAUgOGIeL7eOBZ0NQ4DPsv+wPzXTlQ/u87f2k9j4o6hwg2zsZB997Qw3D
WeBdCwzHMnHnQbZ3xFoOYUuqmkDFSpjgF3tXd2xlSpNmHV+k78wxkMew9vQ78KDz
MQM/SZIYIjFppjaSPUa7mY6FScoZBTNtiwIBAg==
-----END DH PARAMETERS-----

+ 26
- 26
roles/caddy/files/klingt.vnet.key View File

@ -1,28 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDll5h8cY471Wfo
HooMkmSGCyGjB/SIz4qNqV12AV4QAjgBQejiV/J1GkJ8gde32KQNlgkKaLNOzDr3
mCGARFROiiNozgXZcqhHUNn9MYoSseBKpn1o5JQxNuIESf3BUCYMNJhqzlNBz5Ae
LSumqIzaAG3OCco8EGQpYmsB4cXUzR5WEwvloV0AW0XpWmwlW4qxtqStZ0qRL3l6
Zb62pV7rFaqns1wm7/FKqzVqD4Wz5xzrVF0N/urgxQUdNY7MUpg/CesxKs1goQKh
8NH9CNy4dDydNV0KUwjrIuf30InRa9c8iXr9B98F6mfetyIQRkBbFW/jI6vJ465b
RjksoCFBAgMBAAECggEBAJLWqPz2N4zHCUSou4wc2NPuLJ4ziU8yxZ+isZa2ey1r
7dvIBqU0sGn62Ij/FjOMCCh0S+XvXrbH4fLWxp5dlToCGXF/SrhvH3c1G6ZW18Lr
JtM3tj+u6aSsQFOT6wqHMz5dKRouSYtur/LM2v0lEaif25qKImDV7umU+3Fhr4BQ
Vbi5VE6m/NmXzsEU1lP16u36wDrhGRl4CRA/PB/D35YumrHYifjQ31IF32bf9BI9
tIXPCEs28DhzxaBufei4+eoDv/paUmrsdDHpNSov3wO08ctR9e9s3eOhcVLYiwla
VJDSt8+tdlS6QK8kpEsCa063HM7d2cyw58YUyQKvqy0CgYEA8yKgMTaDo+0jWu6T
TAP/7uuBJGggcqYubLfDtCvpW9uiiB8Q2KRJDncM3t1CvrnmVQdPmd3/+BrTxfaA
qJdI3J8i5XxqiB4FJ5pigAwsOEpQQEaRL/XOQiRYhFNoVmgTwx4u3URlFcVRRtYV
TuVphnBpKhf44bkW2n2MEKKfuecCgYEA8b2F17KSOnq1Kg8/NFqShDfGj7TvEK21
GT4T86UA0vmSN5u5ynddsqaJgjJKC1/Xryn73oFZAiGl5AGaLSn4xKn2tObi8d2T
4/skkQk7IblePKZb88IK+IBmAtjj9CZOCDbDqbVBt9BhMwGG6YFK58cfyE6ZQN4J
GcSGGLxfdpcCgYAfZZZIJKEFNyc8o9hTlaSkJrdLi0K9a2ZNVcGo74639PndGB3l
y/k/K/J2iR4IYRs0WbhWx0s5r8UvKDDfFIItM0OfXNyo7S9/OLmFjYzcTARm+HXh
Op3C/syLcfXkSpZauPgWTLG9CPkA675erNNer/90lxnllDA2UMYYk9eKewKBgQCf
Zkbw+dCuOudmenNExExEXrrRW48fwkreAC8Lw0uN0f72J/sUZC0mdeXKMfrdES+Z
Uue/yi601xcaB2xwR3K/ywrgMjaHIYI5HAr6j8mr7R0UhOWxD8xIG/IoAngdL3zY
sbPHHbvdxsuw5Frfcd/AgW6VmC45ta7ujMWXXe7ctQKBgHUnFZJQQhz0rESMfhXL
pNBmcD4pM6YArPY7d2xALbUaNzKjDUOmHPN5h9UH2+Ie67HIziScot0MKQ5eYMlY
yQOZODOzz+lxywNy+FtZ0bZDuDB9UObz7hqf8a6TRkzwDa417NorTxr539vVA8mw
9Kd44+Ebn2oD5gx2ZPdwYc5B
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDDTLqREiT0ILx3
c4Phc8OThak9midw+nVo4xkNBcTFj+lPND1KdtaHX8nSGL+O/IxKbj9CDGvoStkO
gokvLt+4Eu6Td3Zlbtzyu1bMZ6hryNEr47FT7Qb7oe//lA1o0OLeOayXYbEkI89K
2sa6Y4PHBObib7gC3w7mavHi0VzCVU2D377a5O0lfggo4WMVW5wThM4bLOfRjWIl
CErThkjRALBxN9aMY6C/jNZb1jU9UK+i8d2D4HDau5Pjhvp29V01kg9tuSkd+JfZ
I3Qvze3dPoCU7k0rA+r7GpBGDApgKqP5DCwh5NpDbtofIDdgLQ/zFadalFpwyfWj
v+/DbtmTAgMBAAECggEAF70V2FhaQYpRHjveReMqXJ4cii5YqPTonI0uGFUhK9po
Q4ZYBNsZDG9qOq1ja1/rNYjdC4wy+ZNPeuIHBsMt0lQKx8X3kDC/jomS7VmUMTXB
pxIQFeFzvdZbM7etQZZSXSype+UWAQyRP8oD6df6xpAj+FYYCdFPIFbTe/xyx/Qc
ESYkIeV2FrjjKE2Sf6OxcPn16f/HYl6lhjPIDK+WVSHk9K0hax5IJkhGXXj8wECL
x9TMBPn0sWS9U0/cP2tP6CfBSjvdRPKziGyO6KxiAxU+DstVwzOUriSlL7w7mXRo
4IR1TxnePOJ/SCV/rvM/K3k7Zus1SqzK7XMmjYmY4QKBgQDilIyKlH98f5D/maa5
L0pI3jtwsDzjKxi8OtRkaBIWUDQcTpOcPUEzojnc42W6+qKzlu7o5qfbb2xpXrYw
QbGb2vz0IBpV0kITFGosORN3R/RS4FRemhwN0yGvqtukM45ELOSTpwAWg35EpCmw
csKk0z0OfqDGjadTtuSkFlwBmwKBgQDcqGzO2cmkckh/fai84nZT5MWDFUV0/rOj
o1Ttquc2qGJVEKRq5EICBG/P9UdV6ANGJEnKEpWpbdWJxR1q6gPTPSf9GF15vLTE
jjeZbC2eYqqdqwtKt20rlAl7PDZE9IAE4qvwjGcA2W6/LER+8W9dFvamGDhX3CB1
wwMlFw4jaQKBgEWzzxxenG1vTOrkmL6FRsPt4blD7icwPdbB/k65GT9WAwHmRlCd
I26/7C8AoW4I5n564xowwtiliWNM6J0lyH6aupBbQ9685Oi7sgHSuSNLtmS8cBf+
Lr0uA0HoPNNhrNVaPiMSD9vdLb3uBokqdKiB91l7KPiL4TrGm8XCvyEbAoGAbqaG
6bOMykoE0OnSk+V8MNWntfQUwHZ43rYpAIWTLHWD2eRejrun3hsbds0o2ItgGOxZ
lFt9cVkCm/OcrOBsyqEATIrLVSCsBWTLvMPinGod5LLBFtakiBXUK1gmXq29BLYm
QpoljOd8AaHRN1ca4TOCvAepOWXJYURJb3AARwECgYEA1Es3qy7qG5McsI2gWjXM
4SuX5e0AsxkrikJ/oaw5fM357fq2+kdYNjqOYHAfHjxfQP41JTHLoE5PCo2SU/vF
1dWkaCCHmjWQ+8hMtLEkZGobcQdql/4h6MbYyXQRxeomI+/2oNsgT44iX1tFps2e
yGAK7xpkGO8TmWUGDIlQwz4=
-----END PRIVATE KEY-----

Loading…
Cancel
Save