This repository uses OpenSSL and GNU Makefile to automate and simplify Certificate Signing Request (CSR) processes.
Creating replicas of TLS certificates for testing and development can be time-consuming and complex. This includes generating CA authority certificates, Signing Authority certificates, and certificates with complex Subject Alternative Names (SANs) for mTLS.
Corporate CSR processes can take anywhere from hours to weeks to complete. Having pre-tested Certificate Signing Requests (CSRs) ready can significantly streamline this process.
Example of a Complex Subject Alternative Name for mTLS Certificate
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection
X509v3 Subject Key Identifier:
F0:76:3B:B0:03:20:C5:15:2F:7A:4E:F1:F6:FE:AE:06:31:FE:88:B9
X509v3 Authority Key Identifier:
E1:7D:A3:BE:51:DF:F9:1E:29:80:C8:57:CC:D9:D6:3E:37:5D:5F:55
X509v3 Subject Alternative Name:
DNS:vault.dev1.gcp.lab5.ca, DNS:vault.prd1.gcp.lab5.ca, DNS:vault-0, DNS:vault-1, DNS:vault-2, DNS:vault, DNS:vault.vault, DNS:vault.vault.svc, DNS:vault.vault.svc.cluster, DNS:vault.vault.svc.cluster.local, DNS:vault-0.cluster, DNS:vault-1.cluster, DNS:vault-2.cluster, IP Address:127.0.0.1
This repository allows you to test your Subject Alternative Names (SANs) and deployment process using a test certificate before submitting a CSR to the corporate PKI.
GNU Make offers a powerful feature that optimizes the certificate generation process. By leveraging timestamp comparisons, it allows us to skip the generation of certificates when the source files haven't changed. This capability enables us to create an efficient dependency chain, streamlining the entire PKI management workflow.
root_crt ==> signing_crt ==> host_crt
create-ca-authority.mp4
create-certificate.mp4
- OpenSSL version 3.0.0 or higher (https://www.openssl.org/)
- GNU Make 4.0.0 or higher (https://www.gnu.org/software/make/)
- GNU PG 2.0.0 or higher (https://gnupg.org/)
The project is organized as follows:
- Core Logic: The main functionality is implemented in the
Makefile. - OpenSSL: The repository follows the standard OpenSSL directory structure.
makefilecontains the core logic and automation scripts.cadirectory stores Certificate Authority related files.etcdirectory stores OpenSSL configuration files.certsdirectory stores generated certificates.
The repository generates a comprehensive certificate package containing:
- Root CA certificate chain (Root+Signing)
ca-certificates.crt - Host CSR
host.domain.com.csr - Host certificate
host.domain.com.crt - Host encrypted private key
host.domain.com.key - Host P12 (PFX) bundle
host.domain.com.p12
Clone the repository
git clone https://github.com/kborovik/pki-db.gitInitialize new PKI DB (removes old PKI DB and all TLS certificates)
make cleanRemove old Git repository
rm -rf .gitCreate new Git repository
git init
git add --all
git commit -m 'initial pki db'GPG keys are used to encrypt passwords for TLS certificate private keys. Each TLS private key receives a unique password, allowing for the generation of random private key passwords that can be easily shared with team members.
Update Makefile with GPG key
sed -i 's/^GPG_KEY .\*/GPG_KEY ?= 1A4A6FC0BB90A4B5F2A11031E577D405DD6ABEA5/' makefileVerify GPG key
make
==> Certificate <==
COMMON_NAME:
SUBJECT_ALT_NAME:
==> Encryption Key <==
GPG_KEY: 1A4A6FC0BB90A4B5F2A11031E577D405DD6ABEA5
==> Software <==
OpenSSL: OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
Make: GNU Make 4.3
GPG: gpg (GnuPG) 2.4.4
Create Certificates? (yes/no): etc/
├── root.conf
├── signing.conf
└── server.confExample configuration
vim etc/root.config
vim etc/signing.config
vim etc/server.configUpdate ca_dn
[ ca_dn ]
0.domainComponent = ca
1.domainComponent = lab5
organizationName = Lab5 DevOps Inc.
organizationalUnitName = www.lab5.ca
commonName = $organizationName Root CA
To generate a new certificate, follow these steps:
- Set the required
COMMON_NAMEenvironment variable. - Optionally, set the
SUBJECT_ALT_NAMEenvironment variable for additional identities. - Run
makecommand
export COMMON_NAME="www.lab5.ca"
export SUBJECT_ALT_NAME="DNS:www.lab5.ca,IP:127.0.0.1"
make
==> Certificate <==
COMMON_NAME: www.lab5.ca
SUBJECT_ALT_NAME: DNS:www.lab5.ca,IP:127.0.0.1
==> Encryption Key <==
GPG_KEY: 1A4A6FC0BB90A4B5F2A11031E577D405DD6ABEA5
==> Software <==
OpenSSL: OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
Make: GNU Make 4.3
GPG: gpg (GnuPG) 2.4.4
Create Certificates? (yes/no): View certificates
tree certs/
certs/
├── ca-certificates.crt
├── db.lab5.ca.asc
├── db.lab5.ca.crt
├── db.lab5.ca.csr
├── db.lab5.ca.key
├── db.lab5.ca.p12
├── www.lab5.ca.asc
├── www.lab5.ca.crt
├── www.lab5.ca.csr
├── www.lab5.ca.key
└── www.lab5.ca.p12Show Private Key Password
make show-passDecrypt Private Key
make show-keyView CSR
make show-csrView CRT
make show-crtView P12
make show-p12This repository is based on the excellent work of the "OpenSSL PKI Tutorial".
For more information, visit: https://pki-tutorial.readthedocs.io/en/latest/index.html