source/tutorials/tls_cert_script.rst


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159

Creating certificates with a script
===================================

*Written by* `Florian Riedl  <https://www.adiscon.com>`_
*(2019-09-12)*


Overview
--------

This small article describes is a quick addon to the TLS guides. It describes 
in short words, how you can create some quick and dirty certificates for 
testing. 

**Disclaimer**: When creating certificates with the attached scripts and more or 
less default configurations, you cannot create secure certificates. You need to 
use more detailed configuration files to create secure certificates.


Description
-----------

We created a few simple scripts and added configuration files from the sample 
configuration in the certtool man page. You can download them here: 
:download:`Download Scripts <cert-script.tar.gz>`.

The tarball contains 6 files, 3 scripts and 3 configurations. To execute, you 
must make the scripts executable and have certtool installed via libgnutls.

- Script 1 creates the CA key and certificate as outlined in `Setting up the CA 
  <tls_cert_ca.html>`_

- Script 2 creates the `machine key and certificate <tls_cert_machine.html>`_ for 
  a client.

- Script 3 creates the machine key and certificate for a server.

These scripts can easily be combined into one. But, we decided to go for 
separate scripts so each step can be repeated separately if needed.

After the scripts are executed, you should have 2 new files per script. 
Distribute the files to the machines as described before.


Example
-------

Apart from executing the scripts, no extra input is required. All input from 
manual certificate creating can be done automatically via the configuration 
template in the cfg files.

Sample output for the CA certificate generation.
::

    test@ubuntu:~/Documents$ ./1-generate-ca.sh 
    ** Note: Please use the --sec-param instead of --bits
    Generating a 2048 bit RSA private key...
    Generating a self signed certificate...
    X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 5d7a6351
	Validity:
		Not Before: Thu Sep 12 15:25:05 UTC 2019
		Not After: Sun Sep 09 15:25:05 UTC 2029
	Subject: C=US,O=Example,OU=Example,CN=CA-Cert
	Subject Public Key Algorithm: RSA
	Certificate Security Level: Low
		Modulus (bits 2048):
			00:95:28:40:b6:4d:60:7c:cf:72:1d:17:36:b5:f1:11
			0d:42:05:e9:38:c7:6e:95:d9:42:02:c5:4b:f2:9d:e2
			c8:31:ac:18:ae:55:f7:e0:4c:dd:6d:72:32:01:fa:1d
			da:a1:3d:ad:c9:13:0a:68:3e:bc:40:6a:1e:f2:f7:65
			f0:e9:64:fa:84:8b:96:15:b5:10:f3:99:29:14:ee:fc
			88:8d:41:29:8e:c7:9b:23:df:8b:a3:79:28:56:ed:27
			66:a4:9a:fa:75:47:67:0a:e2:f4:35:98:e8:9e:ad:35
			c2:b2:17:8b:98:72:c4:30:58:fd:13:b6:f4:01:d0:66
			56:be:61:85:55:dc:91:b6:4e:0a:3f:d4:3f:40:fa:a8
			92:5e:c5:dd:75:da:c3:27:33:59:43:47:74:fe:d2:28
			14:49:62:ee:39:22:34:6b:2f:e8:d1:ba:e9:95:6d:29
			d2:6f:8a:a2:fc:c8:da:f0:47:78:3b:2c:03:dc:fb:43
			31:9e:a1:cb:11:18:b9:0b:31:d3:86:43:68:f8:c4:bd
			ab:90:13:33:75:e9:b5:ca:74:c3:83:98:e9:91:3d:39
			fb:65:43:77:0b:b2:bc:3b:33:c2:91:7e:db:c3:a2:a1
			80:0b:a0:ce:cb:34:29:8b:24:52:25:aa:eb:bd:40:34
			cb
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): TRUE
		Key Usage (critical):
			Certificate signing.
		Subject Key Identifier (not critical):
			6bbe9a650dbcaf5103c78daf8a2604d76a749f42
    Other Information:
	Public Key Id:
		6bbe9a650dbcaf5103c78daf8a2604d76a749f42


    Signing certificate...

Sample output for the machine certificate generation.
::

    test@ubuntu:~/Documents$ ./2-generate-client.sh 
    ** Note: Please use the --sec-param instead of --bits
    Generating a 2048 bit RSA private key...
    Generating a PKCS #10 certificate request...
    Generating a signed certificate...
    X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 5d7a6402
	Validity:
		Not Before: Thu Sep 12 15:28:02 UTC 2019
		Not After: Sun Sep 09 15:28:02 UTC 2029
	Subject: C=US,O=Example,OU=Example,CN=Test Client
	Subject Public Key Algorithm: RSA
	Certificate Security Level: Low
		Modulus (bits 2048):
			00:bd:7f:0b:20:2e:fe:f1:49:91:71:fa:f1:72:76:6b
			c0:96:ce:e0:85:80:a3:6a:d2:9e:07:dd:02:94:4f:df
			c8:34:13:7d:d1:8f:b8:1b:1f:cf:b8:b7:ae:2f:dd:9a
			da:52:6e:a3:f4:73:20:63:32:46:c2:e1:94:73:6b:cd
			b4:e4:82:46:25:b0:62:f9:12:28:4f:4f:76:23:5c:47
			1b:f9:61:cd:68:c1:c1:17:93:90:3c:d2:2b:6e:82:c2
			a3:ca:80:b7:89:6e:b6:16:ae:47:05:e5:b4:07:bf:75
			d9:bd:aa:fe:79:77:72:6e:af:ed:5b:97:d1:e0:00:ba
			ab:6f:9e:1f:a6:d4:95:d7:d3:39:88:9b:58:88:28:a0
			7e:b6:fe:07:7e:68:ad:a1:d0:23:12:3d:96:b2:a8:8e
			73:66:c0:4f:10:a0:e5:9e:ab:2a:37:1d:83:b1:c3:e5
			7c:35:cc:20:05:7c:7e:41:89:f1:b3:6b:e4:00:f2:bc
			0b:08:55:07:b3:67:e4:14:1c:3c:64:1b:92:2d:d7:f0
			f7:d4:dc:d7:63:1e:fd:e4:98:bc:6b:f1:1a:a9:af:05
			7a:94:52:f5:b5:36:f0:0c:c0:41:0a:39:b7:fb:b3:50
			c1:ce:ee:24:56:61:77:9d:9e:e1:d0:e1:39:f0:cc:b6
			29
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Key Purpose (not critical):
			TLS WWW Client.
			TLS WWW Server.
		Subject Key Identifier (not critical):
			5a1a7316c4594cafafbeb45ddb49623af3a9f231
		Authority Key Identifier (not critical):
			6bbe9a650dbcaf5103c78daf8a2604d76a749f42
    Other Information:
	Public Key Id:
		5a1a7316c4594cafafbeb45ddb49623af3a9f231


    Signing certificate...

**Be sure to safeguard ca-key.pem!** Nobody except the CA itself needs
to have it. If some third party obtains it, you security is broken!