Skip to content

Latest commit

 

History

History
99 lines (74 loc) · 3.31 KB

development-ca.md

File metadata and controls

99 lines (74 loc) · 3.31 KB
Raw

Certificate Authority for development purposes

A bare bones development certificate authority (CA) can be set up to create certs for serving TLS connections.

Install GnuTLS, E.g. with apt install gnutls-bin (3.7.1-5) on Debian Bullseye.

All the private keys will be created without password protection, which is suitable for testing in development setups.

create root CA

mkdir -p ~/${FOLDERNAME}
cd ~/${FOLDERNAME}

certtool --generate-privkey --outfile rootca-key.pem

echo '
organization = "'${ORGANAME}'"
country = DE
cn = "Tester"

ca
cert_signing_key
crl_signing_key

serial = 001
expiration_days = 100
' >gnutls-certtool.rootca.template

certtool --generate-self-signed --load-privkey rootca-key.pem --outfile rootca-cert.pem --template gnutls-certtool.rootca.template --stdout | head -1

create webserver cert

pushd ~/${FOLDERNAME}

certtool --generate-privkey --outfile testserver-key.pem

echo '
organization = "'${ORGANAME}'"
country = DE
cn = "Service Testing"

tls_www_server
signing_key
encryption_key
non_repudiation

dns_name = "*.local"
dns_name = "localhost"

serial = 010
expiration_days = 50
' > gnutls-certtool.testserver.template

certtool --generate-certificate --load-privkey testserver-key.pem --outfile testserver.crt --load-ca-certificate rootca-cert.pem --load-ca-privkey rootca-key.pem --template gnutls-certtool.testserver.template --stdout | head -1

cat testserver.crt rootca-cert.pem >bundle.crt

export SSL_CERTIFICATE=$(
echo "$PWD/bundle.crt"
)
export SSL_CERTIFICATE_KEY=$(
echo "$PWD/testserver-key.pem"
)

popd

Replace {FOLDERNAME} with the folder name you want to save the keys into it and {ORGANAME} with the organisation name that should be used by creating the Certificate.

Considerations and References

  • The command line and template options are explained in the GnuTLS documentation at the end of certtool Invocation, see the section of the current stable documentation, but be aware that it maybe newer than the version you have installed.
  • Using GnuTLS instead of OpenSSL, because GnuTLS is an implementation with a long, good track record. Configuration is also slightly slimmer. (Overall it is positive for the security of Open Standards like TLS and CMS, that there are several competing compatible implementations. Selecting a different implementation here and there helps the ecosystem by fostering that competition.)
  • Using the GnuTLS default algorithm (RSA 3072 at time for writing) is good enough, as the goal is not to test ECC compatibility for client certificates for servers, browser and tools.
  • An example script for server certs: https://gist.github.com/epcim/832cec2482a255e3f392
  • An example for client certs as part of the libvirt setup instructions: https://wiki.libvirt.org/page/TLSCreateClientCerts