This tool comes as a few bash scripts to simplify the process of making your own X.509 Certificate Authority. It includes:

• Initialization script to generate a self signed RootCA
• Templates for client and server certificates
• Maximum flexibility by passing parameters to openssl ca utility
• Supports Subject Alternative Names (SAN) in server certificates
• Easy to use. Just create symlink to your desired template script
• Revocation template for client and server certificates, including management of Certificate Revocation Lists (CRL)
• Can build infinite chains of Intermediate CAs by copying instances of itself to sub directories
• Logs executed scripts to history file

• OpenSSL >= 1.0.1
• Bash >= 4.3
• Git >= 2.1

OpenSSL Bash Warper is free software: you can redistribute it and/or
modify it under the terms of the GNU General Public License as 
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

OpenSSL Bash Warper is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with OpenSSL Bash Warper. If not, see
<http://www.gnu.org/licenses/>.

Clone the Git repository to your home directory.

cd ~
git clone 'https://github.com/SlashDashAndCash/OpenSSL-Bash-Warper.git'

Rename directory to your CA name, e.g. yourname-root-x1

mv OpenSSL-Bash-Warper yourname-root-x1
cd yourname-root-x1

It's strongly recommended to customize the openssl.cnf file

cp openssl_example.cnf openssl.cnf

Replace the properties with your settings.

• crlbaseurl
• countryName_default
• stateOrProvinceName_default
• 0.organizationName_default
• organizationalUnitName_default

Creating the root ca is quite easy. ./templates/rootca.sh

By default this will create a 4096 bits RSA key singed with SHA-512 signatures with a lifetime of ten years. You may change this behavior by adding parameters.

See man req for details.

You can create a certificate by just creating a symbolic link to the desired template script.

Server certificate: ln -s server_template.sh templates/hostname.domain

User certificate: ln -s user_template.sh templates/username

Then execute the link to create a new key, certificate signing request (csr) and a signed certificate.

./templates/hostname.domain

If you already have a signing request, copy it to the requests directory. Filename must be the symbolic link with .csr extension.

vim requests/hostname.domain.csr
./templates/hostname.domain

You may want to add subject alternative names to a server certificate.

export SAN='DNS:hostname.domain,DNS:hostname,IP:8.8.8.8,IP:8.8.4.4'
./templates/hostname.domain
export SAN=''

You can also provide extra parameters to signing command (openssl ca) regardless of server or user certificate

./templates/hostname.domain -option1 --option2 value --option3

See man ca for available options.

Replace the symbolic link with the revocation template.

ln -s -f revoke_template.sh templates/hostname.domain
./templates/hostname.domain

This will also create a new certificate revocation list (crl).

cat crl/yourname-root-x1.crl

InterCAs are not self signed but signed by the root ca or another inter ca.

./templates/interca.sh yourname-caname-x1
cd yourname-caname-x1

Inter ca keys always have a 4096 modulus. Modify the interca.sh script to change this behavior. You may provide extra parameters to signing command (openssl ca).

See man ca for available options.

You can run the interca.sh script within an inter ca directory to extend the chain of trust.

All executed scripts will be logged in ./templates/history.log relative to the ca directory.

Simply create a tar ball which supports of hard links by default.

cd ~
tar -c -z -f "yourname-root-x1_$(date '+%Y-%m-%d').tar.gz" --preserve-permissions --same-owner --keep-directory-symlink yourname-root-x1/
chmod 600 "yourname-root-x1_$(date '+%Y-%m-%d').tar.gz"

Extract the tar ball if you need to restore

tar -x -z -f "~/yourname-root-x1_$(date '+%Y-%m-%d').tar.gz" --preserve-permissions --same-owner --keep-directory-symlink

If you run into an error, the template script interrupts and you have to clean up.

For user and server certificates you can use the archive script.

./templates/archive.sh hostname.domain

./templates/archive.sh username

If the interca.sh script failes, you should remove the unfinished inter ca directory.

rm -rf yourname-caname-x1/

If the interca.sh script failes after signing, you must also remove the last entry from index.txt.