Skip to content
/ pki-db Public

The Lost Art of the Makefile: Simple OpenSSL PKI sharing for small teams

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kborovik/pki-db

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

132 Commits

ca

ca

 
 

certs

certs

 
 

etc

etc

 
 

hosts

hosts

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

VERSION

VERSION

 
 

makefile

makefile

 
 

Repository files navigation

The Lost Art of the Makefile

This repository uses OpenSSL and GNU Makefile to automate and simplify Certificate Signing Request (CSR) processes.

Problem

The Corporate CSR process can take anywhere from hours to weeks to complete.

Solution

Test your Subject Alternative Names (SAN) and deployment process using a test certificate before submitting a CSR to the corporate PKI.

This repo generates a certificate package:

  • Root CA certificate ca-certificates.crt
  • Test Host certificate host.domain.com.crt
  • Test Host CSR host.domain.com.csr
  • Test Host encrypted private key host.domain.com.key
  • Test Host P12 (PFX) bundle host.domain.com.p12

Demo

Create Certificate Authority certificates

create-ca-authority.mp4

Create Host certificate bundle

create-certificate.mp4

Requirements

The procedure was developed and tested with OpenSSL >= 3.0.0

How to Use

Create New PKI

Clone repository

git clone https://github.com/kborovik/pki-db.git

Initialize new PKI DB

Remove old PKI DB and all TLS certificates.

make clean

Remove old Git repository

rm -rf .git

Create new Git repository

git init
git add --all
git commit -m 'initial pki db'

Set GPG keys

GPG key encrypts passwords for TLS certificate private keys. Each TLS private key gets a unique password. This allows the generation of random private key passwords and their creation easily with other team members.

Set shell environment

export GPG_KEY=1A4A6FC0BB90A4B5F2A11031E577D405DD6ABEA5

Update Makefile

(0) > grep -e '^GPG_KEY' makefile
GPG_KEY ?= 1A4A6FC0BB90A4B5F2A11031E577D405DD6ABEA5

View settings

(0) > make
==> Certificate <==
COMMON_NAME: 
SUBJECT_ALT_NAME: 
==> Encryption Key <==
GPG_KEY: 1A4A6FC0BB90A4B5F2A11031E577D405DD6ABEA5
==> Software <==
OpenSSL: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
GPG: gpg (GnuPG) 2.2.27

Update Certificate Authority Distinguished Name

Add organization Certificate Authority Distinguished Name in files:

etc/
├── root.conf
├── server.conf
└── signing.conf

Example:

[ ca_dn ]
0.domainComponent = ca
1.domainComponent = lab5
organizationName = Lab5 DevOps Inc.
organizationalUnitName = www.lab5.ca
commonName = $organizationName Root CA

Create Certificate

Create certificate

Example:

(0) > make COMMON_NAME="www.lab5.ca" SUBJECT_ALT_NAME="DNS:www.lab5.ca,IP:127.0.0.1,email:user@email.com"

==> Certificate <==
COMMON_NAME: www.lab5.ca
SUBJECT_ALT_NAME: DNS:www.lab5.ca,IP:127.0.0.1,email:user@email.com
==> Encryption Key <==
GPG_KEY: 1A4A6FC0BB90A4B5F2A11031E577D405DD6ABEA5
==> Software <==
OpenSSL: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
GPG: gpg (GnuPG) 2.2.27
Create Certificates? (yes/no): yes

View certificates

(0) > tree certs/
certs/
├── ca-certificates.crt
├── www.lab5.ca.asc
├── www.lab5.ca.crt
├── www.lab5.ca.csr
├── www.lab5.ca.key
└── www.lab5.ca.p12

Show Private Key Password

make show-pass

Decrypt Private Key

make show-key

View CSR

make show-csr

View CRT

make show-crt

View P12

make show-p12

Thank you

The repository is based on the excellent work of the "OpenSSL PKI Tutorial".

https://pki-tutorial.readthedocs.io/en/latest/index.html

About

The Lost Art of the Makefile: Simple OpenSSL PKI sharing for small teams

Topics

ssl devops certificate makefile tls-certificate pki-tools opensssl

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Languages