diff --git a/bin/create-client-cert.sh b/bin/create-client-cert.sh new file mode 100755 index 0000000..2a72299 --- /dev/null +++ b/bin/create-client-cert.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +openssl req -new \ + -nodes \ + -out client.csr \ + -keyout private/client.key \ + -days 365 \ + -config ./openssl.cnf + diff --git a/bin/generate-crl.sh b/bin/generate-crl.sh new file mode 100755 index 0000000..ab9dfb6 --- /dev/null +++ b/bin/generate-crl.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +openssl ca -gencrl \ + -out revoked/crl.pem \ + -config ./openssl.cnf diff --git a/bin/inspect-crl.sh b/bin/inspect-crl.sh new file mode 100755 index 0000000..5a667fb --- /dev/null +++ b/bin/inspect-crl.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +openssl crl -text \ + -noout \ + -in revoked/crl.pem diff --git a/bin/sign-client-cert.sh b/bin/sign-client-cert.sh new file mode 100755 index 0000000..8034a45 --- /dev/null +++ b/bin/sign-client-cert.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +openssl ca -out client.crt \ + -days 365 \ + -config ./openssl.cnf \ + -infiles client.csr diff --git a/docker-compose.yaml b/docker-compose.yaml index 4907979..a655d80 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -11,8 +11,9 @@ services: volumes: - ./html:/usr/share/nginx/html - ./nginx/cert-mng/server.crt:/etc/nginx/certs/server.crt - - ./nginx/cert-mng/server.key:/etc/nginx/certs/server.key + - ./nginx/cert-mng/private/server.key:/etc/nginx/certs/server.key - ./nginx/cert-mng/ca.crt:/etc/nginx/certs/ca.crt + - ./nginx/cert-mng/revoked/crl.pem:/etc/nginx/certs/crl.pem - ./nginx/nginx.conf:/etc/nginx/nginx.conf ports: - 80:80 diff --git a/nginx/cert-mng/openssl.cnf b/nginx/cert-mng/openssl.cnf index 21ee0a1..0abfd60 100644 --- a/nginx/cert-mng/openssl.cnf +++ b/nginx/cert-mng/openssl.cnf @@ -11,7 +11,7 @@ new_certs_dir = $dir/certs certificate = $dir/ca.crt private_key = $dir/private/ca.key default_days = 365 -default_md = md5 +default_md = sha256 default_crl_days = 30 preserve = no email_in_dn = yes @@ -34,7 +34,7 @@ commonName = supplied emailAddress = supplied [ crl_ext ] -authorityKeyIdentifier = keyid:always,issues:always +authorityKeyIdentifier = keyid [ usr_cert ] basicConstraints = CA:FALSE diff --git a/script/create-certificate.sh b/script/create-certificate.sh deleted file mode 100755 index d0a3a90..0000000 --- a/script/create-certificate.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -openssl genrsa -des3 -out ca.key 4096 - -openssl req -new \ - -x509 \ - -days 365 \ - -key ca.key \ - -out ca.crt diff --git a/script/create-client-key-and-csr.sh b/script/create-client-key-and-csr.sh deleted file mode 100755 index b193318..0000000 --- a/script/create-client-key-and-csr.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -openssl genrsa -out client.key 2048 - -openssl req -new \ - -key client.key \ - -out client.csr diff --git a/script/create-server-certificate.sh b/script/create-server-certificate.sh deleted file mode 100755 index 630c6df..0000000 --- a/script/create-server-certificate.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -openssl x509 -req \ - -days 365 \ - -in server.csr \ - -CA ca.crt \ - -CAkey ca.key \ - -set_serial 01 \ - -out server.crt diff --git a/script/create-server-key-and-csr.sh b/script/create-server-key-and-csr.sh deleted file mode 100755 index 72f3e4e..0000000 --- a/script/create-server-key-and-csr.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash - -openssl genrsa -out server.key 4096 \ -openssl req -new \ - -key server.key \ - -out server.csr diff --git a/script/sign-client-csr.sh b/script/sign-client-csr.sh deleted file mode 100755 index 0f0db6b..0000000 --- a/script/sign-client-csr.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -openssl x509 -req \ - -days 365 \ - -in client.csr \ - -CA ca.crt \ - -CAkey ca.key \ - -set_serial 01 \ - -out client.crt