Inactivity Notice: I no longer actively use this. It probably still mostly works, but I can't make any promises that the certs it generates make good choices in a modern security env (good hash algo choices, sane openssl settings, etc etc). If you're going to use or borrow from this, I'd recommend making sure you double-check that. If you find an issue, I'd happily accept a GitHub Issue or PR about it.
Certificate authority tools and public bits.
For all the below processes, start by downloading the cert:
curl https://github.com/akerl/ca-tools/raw/master/certs/ca.crt
- Open the certificate in Keychain Access:
open ca.crt
- Hit "Always Trust"
- Enter your OSX creds when prompted
- Open Preferences from the "Thunderbird" menu
- Navigate to "Advanced", then "Certificates", and click "View Certificates"
- Click "Import" and select the ca.crt file you downloaded
- Edit openssl.conf to have the right SAN and distinguished_name settings
- Pick a secure system for the CA to live on
- If that system is a server, you probably want haveged installed for entropy
- Clone this repo there
- Run
makeca.sh
- You'll need to provide a passphrase. Put that passphrase in 1Password (you do use 1Password, don't you)
Do the following on the system the new certificate is for:
- If it's a server, install haveged for entropy
- Clone this repo to the system
- If you need subject alt names, export the variable now:
export SAN="DNS:othersite.com, DNS:example.com"
- Run
gencsr.sh $NAME
, where $NAME is a short name for the certificate
Do the following on the CA system:
- Run
sign.sh $NAME
using the same name you used previously
Do the following on the system the new certificate is for:
- Pull the repo changes:
git pull
- Your certificate is now located at ./certs/$NAME.crt and the key is in ./keys/$NAME.key
ca-tools is released under the MIT License. See the bundled LICENSE file for details.