This tls-gen variation generates a root CA and two certificate/key pairs signed by it:
- Chain 1: root CA => client certificate/key pair
- Chain 2: root CA => server certificate/key pair
# pass a private key password using the PASSWORD variable if needed
make
# results will be under the ./result directory
ls -lha ./result
Generated CA certificate as well as client and server certificate and private keys will be
under the result
directory.
It possible to use ECC for leaf keys:
cd [path to tls-gen repository]/basic
# pass a password using the PASSWORD variable
make USE_ECC=true ECC_CURVE="prime256v1"
# results will be under the ./result directory
ls -lha ./result
The list of available curves can be obtained with
openssl ecparam -list_curves
If you want to generate additional server certificates using the same Root CA, use:
make CN=newname gen-server
If you want to generate additional client certificates using the same Root CA, use:
make CN=newname gen-client
To regenerate, use
make regen
The regen
target accepts the same variables as gen
(default target) above.
You can verify the generated client and server certificates against the generated CA one with
make verify
To display client and server certificate information, use
make info
This assumes the certificates were previously generated.
The Root CA creates certificates whose CRL distribution point is http://crl-server:8000/basic.crl
. To make this CRL available, Python 3 can be used, after ensuring that the DNS name crl-server
resolves:
cd result
python -m http.server
If you need to test revoking a certificate do the following from the basic
directory:
openssl ca -config openssl.cnf -revoke ./result/server_MY-CN_certificate.pem -keyfile ./testca/private/cakey.pem -cert ./testca/cacert.pem
Then regenerate the CRL file:
make gen-crl