SSL Certificate Creation
This repository contains all manners of scripts for handling SSL certificates. It includes also all data necessary for those scripts like intermediate and root certificates for example.
Creation of Certificate Signing Requests
Introduction
This script comes with a template for generating a Certificate
Signing Request (CSR)). It relies on the OpenSSL
utility openssl
for generating the certificates using a template.
Customization
Edit the openssl_csr.conf
template and/or the defaults.sh
file to
fit your needs.
You also have to add intermediate certificates from other CAs for
generating the bundles you must then modify the create_bundle
script
to fit the new authority. Please fork and issue a pull
request. Currently the supported certificates are:
- Thawte Class 2 certificates: wildcard and normal.
- StartSSL Class 1 (free) certificates.
Usage
generate_csr -d <domain> -p <private key> -t openssl_csr.conf
This makes certtool
generate a CSR for the domain and/or Common Name
<domain>
(-d
option) using the template openssl_csr.conf
(-t
option). The CSR will be created in the current directory.
The options for the script are:
-
-d
: domain of the CSR to be generated. -
-e
: days for the certficate validity. This can be specified as a multiple of 365 or as1y
for one year,2y
for two years and so on (default: 365 or 1y). -
-o
: organization for which the CSR is generated. -
-t
: template for generating the certificates. Check the accompanying template for examples. -
-v
: verbose output. It shows the generated CSR.
Example
generate_csr -d *.example.com -o" ACME Foobar Inc" -t openssl_csr.conf -v
This command generates a CSR for a wildcard *.example.com
SSL
certificate named wildcard.example.com_csr.prm
for the ACME Foobar Inc
organization using the private key
wirldcard.example.com_key.pem
using the openssl_csr.conf
template
and it prints the CSR after generating it.
Creation of certificate bundles
Introduction
Since nginx doesn't have a directive for
Certificate Authority bundles the all chain from web server
certificate up to the root CA certificate has to be inside a single
file. This is the file that is used by the ssl_certificate
directive.
This script creates a bundle given all the certificates on the chain.
The Certificate Authority intermediate and root certificates are
placed in a directory that is named as the Certificate Authority,
e.g., thawte
.
Usage
create_bundle -c thawte -w example.com_cert.pem
this creates a bundle with the web server certificate, the
intermediate and the root certificates of the Certificate
Authority Thawte. This bundle is created in
place of the original example.com_cert.pem
certificate file.
The original certificate, as supplied by the CA is renamed to
example.com_cert_orig.pem
.
This is the file to be entered in the nginx configuration.
The options for the script are:
-
-t
: the directory name where the CA intermediate and root certificates reside. This should be named using the CA name: startssl, thawte, geotrust, etc. -
-w
: wether the certificate is or not a wild card certificate. -
<server certificate>
: the file name of the web server certificate as issued by the CA.
Putting things into place: Security considerations
-
The private key must be set to modeg
600
and ownedroot.root
. The key must be placed at/etc/ssl/private
. -
The certificate must be moved to
/etc/ssl/certs
. -
Done.
What's next
Configuring nginx.