incert: Internal PKI Infrastructure
Generate and manage an internal certificate authority for basic self-signed, trusted certificates across multiple domains or machines.
Before you start, you have to generate the CA key and certificate themselves.
First, a private key:
$ openssl genrsa -out ca/ca.key 4096
Then, create a CA public certificate (answer all the questions it asks accordingly):
$ openssl req -x509 -new -nodes -key ca/ca.key -sha256 -days 3650 -out ca/ca.crt
Then you should be ready to go!
Modifying default values
You should modify the default Organization information in
you want to generate certs claimed to be owned by BlackieOps.
Creating a certificate
./generate is provided for ease of use.
Usage: ./generate HOSTNAME [WILDCARD] Examples: Generate a key and certificate: ./generate intranet.local Generate a key and wildcard certificate: ./generate mycorp.internal 1
Copy and trust the
ca/ca.crt certificate on all of your browsers, laptops,
phones, servers, or other devices you wish to trust certificates you generate.
How you do that is up to you.
Collecting Certificate and Key material
./generate will output a few files for you (
example.com in place of your
private/example.com.keyis the private key;
certs/example.com.crtis the certificate;
certs/example.com.bundle.crtis an nginx/Apache-compatible "CA bundle", which is your certificate followed by the CA chain.
csr/example.com.csris the certificate signing request (you probably don't care about this).