Skip to content
Internal Certificate Authority generator
Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
ca
certs
csr
private
.gitignore
LICENSE
README.markdown
generate
openssl.cnf

README.markdown

incert: Internal PKI Infrastructure

Generate and manage an internal certificate authority for basic self-signed, trusted certificates across multiple domains or machines.

CA Setup

Before you start, you have to generate the CA key and certificate themselves.

First, a private key:

$ openssl genrsa -out ca/ca.key 4096

Then, create a CA public certificate (answer all the questions it asks accordingly):

$ openssl req -x509 -new -nodes -key ca/ca.key -sha256 -days 3650 -out ca/ca.crt

Then you should be ready to go!

Modifying default values

You should modify the default Organization information in openssl.cnf, unless you want to generate certs claimed to be owned by BlackieOps.

Creating a certificate

A script, ./generate is provided for ease of use.

Usage:

        ./generate HOSTNAME [WILDCARD]

Examples:

    Generate a key and certificate:
        ./generate intranet.local

    Generate a key and wildcard certificate:
        ./generate mycorp.internal 1

Usage

Copy and trust the ca/ca.crt certificate on all of your browsers, laptops, phones, servers, or other devices you wish to trust certificates you generate. How you do that is up to you.

Collecting Certificate and Key material

./generate will output a few files for you (example.com in place of your domain):

  1. private/example.com.key is the private key;
  2. certs/example.com.crt is the certificate;
  3. certs/example.com.bundle.crt is an nginx/Apache-compatible "CA bundle", which is your certificate followed by the CA chain.
  4. csr/example.com.csr is the certificate signing request (you probably don't care about this).
You can’t perform that action at this time.