User:Int 80h/files/SSL Makefile

SSL Makefile

edit

This Makefile makes creating SSL certificates easier.
Dependencies are OpenSSL and automake.

Just copy the code into a file called Makefile and run make help in that direktory to get some help and get started.

# Makefile to create new CA and application keys more easily

have_cnf:=$(wildcard server.cnf)
have_cacnf:=$(wildcard ca.cnf)

all: server.key.nopass server.crt
 
# make new CA key and certificate
newca:
	-rm ca.*
	make ca.crt
 
# make new server certificate and key
newserver: clean
	make all

# sign a certificate
sign: server.crt.signed

# make PEMs
pem: server.pem server.pem.nopass

# create unencrypted server key
server.key.nopass: server.key
	openssl rsa -in $< -out $@
 
# create server certificate with CA
server.crt.signed: server.csr ca.crt ca.key
	openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out $@
	@echo -e " *\n * Serial number needs to be updated, whenever certificate is created anew!\n *"

# create self signed server certificate
server.crt: server.csr server.key
	openssl x509 -req -days 365 -in $< -signkey server.key -out $@
 
# create server signing request
ifeq ($(strip $(have_cnf)),)
server.csr: server.key
	openssl req -new -key $< -out $@
	echo "nein"
else
server.csr: server.key server.cnf
	openssl req -new -key $< -out $@ -config server.cnf
	echo "ja"
endif

# generate server key
server.key:
	openssl genrsa -des3 -out $@ 4096
 
# create pem
server.pem: server.crt server.key
	cat server.crt server.key > $@
	openssl dhparam -2 >> $@

# create unencrypted pem
server.pem.nopass: server.crt server.key.nopass
	cat server.crt server.key.nopass > $@
	openssl dhparam -2 >> $@

# create CA certificate
ifeq ($(strip $(have_cacnf)),)
ca.crt: ca.key
	openssl req -new -x509 -days 365 -key $< -out $@

else
ca.crt: ca.key ca.cnf
	openssl req -new -x509 -days 365 -key $< -out $@ -config ca.cnf

endif

# generate CA key
ca.key:
	openssl genrsa -des3 -out $@ 4096

# delete everything
clean:
	-rm server.crt server.csr server.key server.key.nopass server.pem server.pem.nopass

paranoia:
	-shred -zuv server.crt server.csr server.key server.key.nopass server.pem server.pem.nopass

help:
	@echo -e "Usage: make [newca | newserver | pem | sign | help]\n"
	@echo -e "    (no arguments):    creates CA files and a server certificate"
	@echo -e "    newca:             recreates CA files"
	@echo -e "    newserver:         recreates server certificate files"
	@echo -e "    pem:               create PEM files"
	@echo -e "    sign:              make CA signed certificate"
	@echo -e "    help:              shows this help"


Signed certificates with self made CA

edit

I recommend not signing the certificates with an own CA cert. Some browsers refuse to accept that certificate, and in case of Firefox, it doesn't even allow to make an exception and use it anyway.

It simply won't work.

It's preferable to use a self-signed certificate in case for testing, and in case a CA signed certificate is not needed.


Using a cnf

edit

I suggest using a server.cnf when making multiple certificates. The file accept one ca.cnf and a server.cnf, for CA certificates and server certificates, respectively.