diff --git a/containers/ssl/README.md b/containers/ssl/README.md deleted file mode 100644 index 3fc75db..0000000 --- a/containers/ssl/README.md +++ /dev/null @@ -1,4 +0,0 @@ -openssl req -x509 -nodes -new -sha256 -days 1024 -newkey rsa:2048 -keyout RootCA.key -out RootCA.pem -subj "/C=US/CN=Root-CA" -openssl x509 -outform pem -in RootCA.pem -out RootCA.crt -openssl req -new -nodes -newkey rsa:2048 -keyout lesspass.key -out lesspass.csr -subj "/C=FR/ST=Gironde/L=Bordeaux/O=LessPass/CN=lesspass.local" -openssl x509 -req -sha256 -days 1024 -in lesspass.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.ext -out lesspass.crt \ No newline at end of file diff --git a/containers/ssl/create_ca_and_ee.sh b/containers/ssl/create_ca_and_ee.sh new file mode 100755 index 0000000..b8304b7 --- /dev/null +++ b/containers/ssl/create_ca_and_ee.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +# This script will create a custom Certificate Authority (CA) and End Entity (EE) certificates. +# +# for local development this should be fine and you can ignore certificate trust errors related to +# an untrusted root. For public facing access, you can submit the generated lesspass.csr to a trusted +# ca so that they can provide you with a trusted certificate to replace this development certificate. + +CA_CRT_SUBJ="${CA_CRT_SUBJ:-/C=US/CN=Root-CA}" +CA_KEY_TYPE="${CA_KEY_TYPE:-rsa:2048}" +EE_CRT_SUBJ="${EE_CRT_SUBJ:-/C=FR/ST=Gironde/L=Bordeaux/O=LessPass/CN=lesspass.local}" +EE_KEY_TYPE="${EE_KEY_TYPE:-${CA_KEY_TYPE}}" + +openssl req -x509 -nodes -new -sha256 -days 1024 -newkey "$CA_KEY_TYPE" -keyout RootCA.key -out RootCA.pem -subj "$CA_CRT_SUBJ" +openssl x509 -outform pem -in RootCA.pem -out RootCA.crt +openssl req -new -nodes -newkey "$EE_KEY_TYPE" -keyout lesspass.key -out lesspass.csr -subj "$EE_CRT_SUBJ" +openssl x509 -req -sha256 -days 1024 -in lesspass.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.ext -out lesspass.crt + +openssl verify -verbose -CAfile RootCA.crt RootCA.crt lesspass.crt