[TriLUG] any OpenSSL/cert experts out there?

Alan Porter via TriLUG trilug at trilug.org
Sat May 23 17:55:46 EDT 2015


> It would be nice if this process would be simplified. Ric

One problem I have run into is that most scripts that you find
online secretly rely on some special settings in the author's
openssl.conf file.  It's maddening to work through an example
and it just does not work like the author's example.

So I created a script that does not rely on any presets.  It
creates a temporary openssl.conf file and uses those settings
while running, and then deletes the file.

https://github.com/sudoer/sslcerts

The three things that this script does are (1) create a CA
certificate (2) create a domain certificate and (3) sign the
domain certificate with the CA certificate.  I use these for
my own CA.

It also handles multi-domain certificates, using subAltName.
That is, one cert can be used for several domains and sub-
domains.

I would like to add a better validation chain... I hear that
"real" CAs use a CA cert, then a signing cert, and then your
certs.  Mine only has the two levels.

By the way, this is the script that I used to create our
domain certs at TriLUG.org.  But we have them signed by
StartCom (startssl.com) instead of being signed by our own
CA.


Alan





More information about the TriLUG mailing list