Skip to content

Bootstrapper (scripts and template) to make your own Root and (first) Intermediate Certificate Authorities.

Notifications You must be signed in to change notification settings

BobWaffle/certificate-authority-bootstrap

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 
 
 

Repository files navigation

certificate-authority-bootstrap

This project provides a template and some helper scripts to create your own Root and Intermediate Certificate Authorities.

Quickstart

FAQs

Quickstart

1) Initialise the Root and Intermediate CAs

Steps

This is for *NIX systems.

# Clone the repository
git clone https://github.com/BobWaffle/certificate-authority-bootstrap.git

# Change into the repo directory
cd certificate-authority-bootstrap

# Clone the CA template using the helper script
./bin/bootstrap-ca.sh MyNewCA

# Change into the new CA directory
cd ./private/MyNewCA

# Initialise the Root CA using the helper script
./bin/01CreateRootCAKeyAndCert.sh

# Initialise the Intermediate01 CA using the helper script
./bin/02CreateIntermediate01CAKeyAndCert.sh

DO NOT CUT-AND-PASTE THE ABOVE COMMANDS IN ONE BLOCK Why? Because you're going to be prompted for passwords etc.

2) Get Signing

Now you're ready to start signing your own certificates using your intermediate authority.

# Make sure you're in the new Certificate Authority directory
cd certificate-authority-bootstrap/private/MyNewCA

# Run the certificate signing helper script
./bin/SignCertificateWithIntermediate01CA.sh www.somedomain.com api.somedomain.com blah.somedomain.com

The script SignCertificateWithIntermediate01CA.sh accepts any numbers of domains as parameters. Note that the first domain becomes the Common Name of the certificate and all other names are Subject Alternative Names.

You can use the script as many times as you want, passing a different Common Name each time. e.g.

./bin/SignCertificateWithIntermediate01CA.sh www.somedomain.com api.somedomain.com blah.somedomain.com
./bin/SignCertificateWithIntermediate01CA.sh www.somethingelse.com
./bin/SignCertificateWithIntermediate01CA.sh www.another.com alternative.another.com

3) [Optional] Trust Your Own CAs

This step allows you to add one or both of your Certificate Authorities to your device(s) on which you want to trust them.

Why might you do this? So you don't get prompted by your device that "The Certificate is not trusted".

What is the danger of doing this? Good question! I'm glad you asked. Remember: Once you trust your own Certificate Authority at the operating system level, you will never see any warnings for SSL certificates that were signed by that Certificate Authority.

Why is that dangerous? Imagine someone got hold of your CA files (and password) and generated an SSL certificate for www.yourbank.com. They'd then be able to pretend to be https://www.yourbank.com and your browser wouldn't warn you.

I don't understand Well... perhaps you shouldn't be mucking around with Certificate Authorites. Don't say I didn't warn you.

OK OK - I understand the risks... what do I do? Exactly what you do depends on your requirements (do you need to install the Root CA or is the Intermediate CA sufficient?) One you know which you want to install, simply add the relevant certificate to your operating system's Trusted Certificates.

I don't know if I should install the Root or Intermediate CA Cert...

  • If you install the Root CA then all certificates signed by the Root CA or any of your intermediate CAs will be trusted. (The scripts I have provided only create a single Intermediate CA... but you could choose to make more.)
  • If you install the Intermediate CA then only certificates signed by the Intermediate CA will be trusted.

Erm... HOW do I trust a CA on my device of type X? Google it.

Not (Yet) Supported

CRLs

I've not yet written any tools to manage certificate revocation / CRLs. I might get round to this if either of these things happen:

  • Someone asks me to do it
  • I need to do it for my own purposes (not looking likely at the time of writing)

Windows

I've only written bash scripts, I'm sorry to say. If someone asks nicely I may be able to make some .bat files. Although now that I think of this, I kinda regret the sed expressions I've used in some of my shell scripts.

FAQs

Why is the FAQs section so empty?

Because no-one has asked me any questions.

Releases

No releases published

Packages

No packages published

Languages