NAME

create-cert — create openssl client key and certificates

SYNOPSIS

DESCRIPTION

create-cert is a script that uses openssl(1) to create self-signed host certificates and private keys for fully qualified domain names (FQDNs).

A configuration file to specify certificate attributes. The -I flag is used to create an initial version of this file. The user may optionally customize this file before running create-cert with the -R flag which creates a self-signed rootca cert and key.

Once a valid configuration file, rootca cert, and key files are all present, create-cert can be used to create cert and key files for a FQDN. The FQDN will be added as a Subject Alt Name as will an additional arguments. create-cert requires each FQDN (and any Subject Alt Names) to include at least one ‘.’ in it; use the -f flag to override this restriction. IPv4 and IPv6 addresses may also be specified.

Key files are created without group or world read permissions. The script always refuses to overwrite existing files. If c_rehash is found on the user's PATH, it is used to hash the certs directory after a host cert is created.

OPTIONS

Here are the command line options:

-b bits

Override the size of the key in bits when creating a certificate.

-d days

When creating a new certificate, override the number days to certify it.

-D digest

When creating a new certificate, override the digest.

-c config

Specify the configuration file; defaults to create-cert.conf.

-C cert

Like -I, creates an initial configuration file but populates the values from an existing X509 root or host certificate file cert. This is a handy way to bootstrap an old tree of self-signed certs for use with create-cert.

-f

Normally, create-cert requires FQDNs (with at least one ‘.’ in them). The -f flag removes this restriction.

-I

Create an initial configuration file; see the description for the -c flag for more details about the filename used.

-n

Show the shell commands but do not execute them (aka dry run).

-R

Create a self-signed rootca cert and private key.

-v

Increase verbosity.

CONFIGURATION OPTIONS

Here are the configuration options that may be used in create-cert.conf.

country

The two character country code.

state

The State or province.

city

The City or locality.

organization

The name of the organization or company.

authority

The name of the authority.

rootname

The root certificate authority name.

email

The email address of the organization.

bits

Size of the key in bits. Keys smaller than 2048 are not recommended.

digest

The format of the message digest. Possible values include md2, md5, mdc2, rmd160, sha, sha1, sha224, sha256, sha384 and sha512. sha1 or higher is recommend and in particular md5 is not recommended as iPhones reject certificates using this hash algorithm due to its weakness.

days

The number of days to certify the certificate. The default is 3650 (10 years).

EXAMPLES

Here's an example work flow using create-cert to create a new rootca and host certs and keys (uninteresting output from openssl has been removed):

Here are some examples of the error checking:

FILES

create-cert.conf

create-cert configuration file

certs

public certs directory

certs/rootca.index

certificate database file

certs/rootca.pem

rootca public cert file

private

private key directory

private/rootca.key

rootca private key file

private/serial

certificate serial number file

SEE ALSO

openssl(1)

AUTHOR

Craig Leres

BUGS