# The Lost Art of the Makefile This repository uses OpenSSL and GNU Makefile to automate and simplify Certificate Signing Request (CSR) processes. ## Problem Creating replicas of TLS certificates for testing and development can be time-consuming and complex. This includes generating CA authority certificates, Signing Authority certificates, and certificates with complex Subject Alternative Names (SANs) for mTLS. Corporate CSR processes can take anywhere from hours to weeks to complete. Having pre-tested Certificate Signing Requests (CSRs) ready can significantly streamline this process. **Example of a Complex Subject Alternative Name for mTLS Certificate** ``` X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection X509v3 Subject Key Identifier: F0:76:3B:B0:03:20:C5:15:2F:7A:4E:F1:F6:FE:AE:06:31:FE:88:B9 X509v3 Authority Key Identifier: E1:7D:A3:BE:51:DF:F9:1E:29:80:C8:57:CC:D9:D6:3E:37:5D:5F:55 X509v3 Subject Alternative Name: DNS:vault.dev1.gcp.lab5.ca, DNS:vault.prd1.gcp.lab5.ca, DNS:vault-0, DNS:vault-1, DNS:vault-2, DNS:vault, DNS:vault.vault, DNS:vault.vault.svc, DNS:vault.vault.svc.cluster, DNS:vault.vault.svc.cluster.local, DNS:vault-0.cluster, DNS:vault-1.cluster, DNS:vault-2.cluster, IP Address:127.0.0.1 ``` ## Solution This repository allows you to test your Subject Alternative Names (SANs) and deployment process using a test certificate before submitting a CSR to the corporate PKI. ### Efficient Certificate Generation with GNU Make GNU Make offers a powerful feature that optimizes the certificate generation process. By leveraging timestamp comparisons, it allows us to skip the generation of certificates when the source files haven't changed. This capability enables us to create an efficient dependency chain, streamlining the entire PKI management workflow. ``` root_crt ==> signing_crt ==> host_crt ``` ## Demo ### Creating Certificate Authority Certificates

### Creating Host Certificate Bundle

### Requirements - OpenSSL version 3.0.0 or higher (https://www.openssl.org/) - GNU Make 4.0.0 or higher (https://www.gnu.org/software/make/) - GNU PG 2.0.0 or higher (https://gnupg.org/) ### Project Structure The project is organized as follows: - **Core Logic**: The main functionality is implemented in the `Makefile`. - **OpenSSL**: The repository follows the standard OpenSSL directory structure. ### Key Components - `makefile` contains the core logic and automation scripts. - `ca` directory stores Certificate Authority related files. - `etc` directory stores OpenSSL configuration files. - `certs` directory stores generated certificates. ### Generated Certificate Package The repository generates a comprehensive certificate package containing: - Root CA certificate chain (Root+Signing) `ca-certificates.crt` - Host CSR `host.domain.com.csr` - Host certificate `host.domain.com.crt` - Host encrypted private key `host.domain.com.key` - Host P12 (PFX) bundle `host.domain.com.p12` ## Usage Guide ### Setting Up a New PKI **Clone the repository** ```shell git clone https://github.com/kborovik/pki-db.git ``` **Initialize new PKI DB (removes old PKI DB and all TLS certificates)** ```shell make clean ``` **Remove old Git repository** ```shell rm -rf .git ``` **Create new Git repository** ```shell git init git add --all git commit -m 'initial pki db' ``` ### Configuring GPG Keys GPG keys are used to encrypt passwords for TLS certificate private keys. Each TLS private key receives a unique password, allowing for the generation of random private key passwords that can be easily shared with team members. **Update Makefile with GPG key** ```shell sed -i 's/^GPG_KEY .\*/GPG_KEY ?= 1A4A6FC0BB90A4B5F2A11031E577D405DD6ABEA5/' makefile ``` **Verify GPG key** ```shell make ==> Certificate <== COMMON_NAME: SUBJECT_ALT_NAME: ==> Encryption Key <== GPG_KEY: 1A4A6FC0BB90A4B5F2A11031E577D405DD6ABEA5 ==> Software <== OpenSSL: OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) Make: GNU Make 4.3 GPG: gpg (GnuPG) 2.4.4 Create Certificates? (yes/no): ``` ### Updating Certificate Authority Distinguished Name ```shell etc/ ├── root.conf ├── signing.conf └── server.conf ``` **Example configuration** ```shell vim etc/root.config vim etc/signing.config vim etc/server.config ``` **Update `ca_dn`** ``` [ ca_dn ] 0.domainComponent = ca 1.domainComponent = lab5 organizationName = Lab5 DevOps Inc. organizationalUnitName = www.lab5.ca commonName = $organizationName Root CA ``` ### Creating Certificates To generate a new certificate, follow these steps: - Set the required `COMMON_NAME` environment variable. - Optionally, set the `SUBJECT_ALT_NAME` environment variable for additional identities. - Run `make` command ```shell export COMMON_NAME="www.lab5.ca" export SUBJECT_ALT_NAME="DNS:www.lab5.ca,IP:127.0.0.1" make ==> Certificate <== COMMON_NAME: www.lab5.ca SUBJECT_ALT_NAME: DNS:www.lab5.ca,IP:127.0.0.1 ==> Encryption Key <== GPG_KEY: 1A4A6FC0BB90A4B5F2A11031E577D405DD6ABEA5 ==> Software <== OpenSSL: OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) Make: GNU Make 4.3 GPG: gpg (GnuPG) 2.4.4 Create Certificates? (yes/no): ``` ### Managing Certificates **View certificates** ```shell tree certs/ certs/ ├── ca-certificates.crt ├── db.lab5.ca.asc ├── db.lab5.ca.crt ├── db.lab5.ca.csr ├── db.lab5.ca.key ├── db.lab5.ca.p12 ├── www.lab5.ca.asc ├── www.lab5.ca.crt ├── www.lab5.ca.csr ├── www.lab5.ca.key └── www.lab5.ca.p12 ``` **Show Private Key Password** ```shell make show-pass ``` **Decrypt Private Key** ```shell make show-key ``` **View CSR** ```shell make show-csr ``` **View CRT** ```shell make show-crt ``` **View P12** ```shell make show-p12 ``` ## Acknowledgements This repository is based on the excellent work of the "OpenSSL PKI Tutorial". For more information, visit: https://pki-tutorial.readthedocs.io/en/latest/index.html