Skip to content
/ simple-mtls Public

Creates a simple mTLS setup using a self-signed certificates (CA, Server)

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

fincloud-io/simple-mtls

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
certificates_dot_ini
certificates_dot_ini
 
 
create-client-cert.sh
create-client-cert.sh
 
 
create-server-certs.sh
create-server-certs.sh
 
 
parse_ini.sh
parse_ini.sh
 
 

Repository files navigation

Setting up mTLS with your own CA

Certificate generation

OpenSSL

Getting Started

This script does a number of things to provision a simple self-signed mTLS installation:

  • 1 Creates a self-signed Root Certification Authority (CA)

  • 2 Creates an Intermediate Certification Authority (CA) signed by the Root CA

  • 3 Creates a Server certificate, issued by the Intermediate CA

  • 4 Creates client certificates from CSR files

Although a self-signed intermediateCA might be overkill, this is how the larger PKCS systems operate. Should a key get compromised, or a security issue with a root certificate arise, just the intermediateCA and all child certificates need to be re-issued (rather than everything back to the root level).

mTLS authentication requires certificates on both client and server in order to operate. Many small firms don't have a PKCS infrastructure in place, and therefore need to create self-signed certificates using their own Certification Authority (CA) - (also created as part of this process).

The scripts in this directory can automate the creation of the certificates.

Prerequisites

  • gawk required for parsing ini files
  • BASH version > 3.2 (see troubleshooting below, OSX requires a newer bash install than the default)
  • Create a certificate.ini file from the template
  • Ensure that secure passwords > 6 characters are used for both the ca and server entries

Server Certificate generation

Once the script below has been run, a new named subdirectory will be created, with both the CA certificates and the Server cert / truststore.

create_server_cert.sh

The following two files in the named directory should be used for the gateway installation:

myserver.pfx, truststore.jks

Generating a client certificate

Clients who want to connect with mTLS, will need a certificate issued and signed by our server. Clients should provide a Certificate Signing Request (CSR) file which should then be supplied to the script below. This will produce a client cert.

create-client-cert.sh <csr_file>

Example:

Signature ok
   subject=C = US, ST = New York, L = New York City, O = Megacorp Client LLC, OU = IT Department, CN = megacorp.client1, emailAddress = root@megacorpclient.com

The client certificate can be found in the client subdirectory, with the name client.crt.

Troubleshooting

I keep getting errors like this

declare: usage: declare [-afFirtx] [-p] [name[=value] ...]

Upgrade your version of BASH - OSX in particular comes installed with a very old version unlikely to be upgraded.

brew install bash

Note, this doesn't replace the pre-installed version of bash, so won't affect other scripts. New bash will be installed in /usr/local/bin. see article Upgrading bash on OSX

Thanks to Sleepless Beastie for the helpful ini parsing code

Jon Jenkins 01/08/2021

About

Creates a simple mTLS setup using a self-signed certificates (CA, Server)

Topics

tls ssl certificate openssl mtls openssl-certs mtls-authentication

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages