summaryrefslogtreecommitdiffstats
path: root/source/tutorials/tls_cert_script.rst
diff options
context:
space:
mode:
Diffstat (limited to 'source/tutorials/tls_cert_script.rst')
-rw-r--r--source/tutorials/tls_cert_script.rst159
1 files changed, 159 insertions, 0 deletions
diff --git a/source/tutorials/tls_cert_script.rst b/source/tutorials/tls_cert_script.rst
new file mode 100644
index 0000000..e3add83
--- /dev/null
+++ b/source/tutorials/tls_cert_script.rst
@@ -0,0 +1,159 @@
+Creating certificates with a script
+===================================
+
+*Written by* `Florian Riedl <https://www.adiscon.com>`_
+*(2019-09-12)*
+
+
+Overview
+--------
+
+This small article describes is a quick addon to the TLS guides. It describes
+in short words, how you can create some quick and dirty certificates for
+testing.
+
+**Disclaimer**: When creating certificates with the attached scripts and more or
+less default configurations, you cannot create secure certificates. You need to
+use more detailed configuration files to create secure certificates.
+
+
+Description
+-----------
+
+We created a few simple scripts and added configuration files from the sample
+configuration in the certtool man page. You can download them here:
+:download:`Download Scripts <cert-script.tar.gz>`.
+
+The tarball contains 6 files, 3 scripts and 3 configurations. To execute, you
+must make the scripts executable and have certtool installed via libgnutls.
+
+- Script 1 creates the CA key and certificate as outlined in `Setting up the CA
+ <tls_cert_ca.html>`_
+
+- Script 2 creates the `machine key and certificate <tls_cert_machine.html>`_ for
+ a client.
+
+- Script 3 creates the machine key and certificate for a server.
+
+These scripts can easily be combined into one. But, we decided to go for
+separate scripts so each step can be repeated separately if needed.
+
+After the scripts are executed, you should have 2 new files per script.
+Distribute the files to the machines as described before.
+
+
+Example
+-------
+
+Apart from executing the scripts, no extra input is required. All input from
+manual certificate creating can be done automatically via the configuration
+template in the cfg files.
+
+Sample output for the CA certificate generation.
+::
+
+ test@ubuntu:~/Documents$ ./1-generate-ca.sh
+ ** Note: Please use the --sec-param instead of --bits
+ Generating a 2048 bit RSA private key...
+ Generating a self signed certificate...
+ X.509 Certificate Information:
+ Version: 3
+ Serial Number (hex): 5d7a6351
+ Validity:
+ Not Before: Thu Sep 12 15:25:05 UTC 2019
+ Not After: Sun Sep 09 15:25:05 UTC 2029
+ Subject: C=US,O=Example,OU=Example,CN=CA-Cert
+ Subject Public Key Algorithm: RSA
+ Certificate Security Level: Low
+ Modulus (bits 2048):
+ 00:95:28:40:b6:4d:60:7c:cf:72:1d:17:36:b5:f1:11
+ 0d:42:05:e9:38:c7:6e:95:d9:42:02:c5:4b:f2:9d:e2
+ c8:31:ac:18:ae:55:f7:e0:4c:dd:6d:72:32:01:fa:1d
+ da:a1:3d:ad:c9:13:0a:68:3e:bc:40:6a:1e:f2:f7:65
+ f0:e9:64:fa:84:8b:96:15:b5:10:f3:99:29:14:ee:fc
+ 88:8d:41:29:8e:c7:9b:23:df:8b:a3:79:28:56:ed:27
+ 66:a4:9a:fa:75:47:67:0a:e2:f4:35:98:e8:9e:ad:35
+ c2:b2:17:8b:98:72:c4:30:58:fd:13:b6:f4:01:d0:66
+ 56:be:61:85:55:dc:91:b6:4e:0a:3f:d4:3f:40:fa:a8
+ 92:5e:c5:dd:75:da:c3:27:33:59:43:47:74:fe:d2:28
+ 14:49:62:ee:39:22:34:6b:2f:e8:d1:ba:e9:95:6d:29
+ d2:6f:8a:a2:fc:c8:da:f0:47:78:3b:2c:03:dc:fb:43
+ 31:9e:a1:cb:11:18:b9:0b:31:d3:86:43:68:f8:c4:bd
+ ab:90:13:33:75:e9:b5:ca:74:c3:83:98:e9:91:3d:39
+ fb:65:43:77:0b:b2:bc:3b:33:c2:91:7e:db:c3:a2:a1
+ 80:0b:a0:ce:cb:34:29:8b:24:52:25:aa:eb:bd:40:34
+ cb
+ Exponent (bits 24):
+ 01:00:01
+ Extensions:
+ Basic Constraints (critical):
+ Certificate Authority (CA): TRUE
+ Key Usage (critical):
+ Certificate signing.
+ Subject Key Identifier (not critical):
+ 6bbe9a650dbcaf5103c78daf8a2604d76a749f42
+ Other Information:
+ Public Key Id:
+ 6bbe9a650dbcaf5103c78daf8a2604d76a749f42
+
+
+
+ Signing certificate...
+
+Sample output for the machine certificate generation.
+::
+
+ test@ubuntu:~/Documents$ ./2-generate-client.sh
+ ** Note: Please use the --sec-param instead of --bits
+ Generating a 2048 bit RSA private key...
+ Generating a PKCS #10 certificate request...
+ Generating a signed certificate...
+ X.509 Certificate Information:
+ Version: 3
+ Serial Number (hex): 5d7a6402
+ Validity:
+ Not Before: Thu Sep 12 15:28:02 UTC 2019
+ Not After: Sun Sep 09 15:28:02 UTC 2029
+ Subject: C=US,O=Example,OU=Example,CN=Test Client
+ Subject Public Key Algorithm: RSA
+ Certificate Security Level: Low
+ Modulus (bits 2048):
+ 00:bd:7f:0b:20:2e:fe:f1:49:91:71:fa:f1:72:76:6b
+ c0:96:ce:e0:85:80:a3:6a:d2:9e:07:dd:02:94:4f:df
+ c8:34:13:7d:d1:8f:b8:1b:1f:cf:b8:b7:ae:2f:dd:9a
+ da:52:6e:a3:f4:73:20:63:32:46:c2:e1:94:73:6b:cd
+ b4:e4:82:46:25:b0:62:f9:12:28:4f:4f:76:23:5c:47
+ 1b:f9:61:cd:68:c1:c1:17:93:90:3c:d2:2b:6e:82:c2
+ a3:ca:80:b7:89:6e:b6:16:ae:47:05:e5:b4:07:bf:75
+ d9:bd:aa:fe:79:77:72:6e:af:ed:5b:97:d1:e0:00:ba
+ ab:6f:9e:1f:a6:d4:95:d7:d3:39:88:9b:58:88:28:a0
+ 7e:b6:fe:07:7e:68:ad:a1:d0:23:12:3d:96:b2:a8:8e
+ 73:66:c0:4f:10:a0:e5:9e:ab:2a:37:1d:83:b1:c3:e5
+ 7c:35:cc:20:05:7c:7e:41:89:f1:b3:6b:e4:00:f2:bc
+ 0b:08:55:07:b3:67:e4:14:1c:3c:64:1b:92:2d:d7:f0
+ f7:d4:dc:d7:63:1e:fd:e4:98:bc:6b:f1:1a:a9:af:05
+ 7a:94:52:f5:b5:36:f0:0c:c0:41:0a:39:b7:fb:b3:50
+ c1:ce:ee:24:56:61:77:9d:9e:e1:d0:e1:39:f0:cc:b6
+ 29
+ Exponent (bits 24):
+ 01:00:01
+ Extensions:
+ Basic Constraints (critical):
+ Certificate Authority (CA): FALSE
+ Key Purpose (not critical):
+ TLS WWW Client.
+ TLS WWW Server.
+ Subject Key Identifier (not critical):
+ 5a1a7316c4594cafafbeb45ddb49623af3a9f231
+ Authority Key Identifier (not critical):
+ 6bbe9a650dbcaf5103c78daf8a2604d76a749f42
+ Other Information:
+ Public Key Id:
+ 5a1a7316c4594cafafbeb45ddb49623af3a9f231
+
+
+
+ Signing certificate...
+
+**Be sure to safeguard ca-key.pem!** Nobody except the CA itself needs
+to have it. If some third party obtains it, you security is broken!
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-24 04:00:20 +0000