Low-tech SSL certificate maintenance

Edd Dumbill posted a short article on how to do some SSL certificate maintenance when you are using your own certificate authority. This helps to automate the process of creating and maintaining SSL certificates. He first sets up a configuration file for each certificate such as the following:

[ req ]
prompt = no
distinguished_name = server_distinguished_name

[ server_distinguished_name ]
commonName = server.usefulinc.com
stateOrProvinceName = England
countryName = GB
emailAddress = edd@usefulinc.com
organizationName = Useful Information Company
organizationalUnitName = Hosting

[ req_extensions ]
subjectAltName=edd@usefulinc.com
issuerAltName=issuer:copy
nsCertType = server

[ x509_extensions ]
subjectAltName=edd@usefulinc.com
issuerAltName=issuer:copy
nsCertType = server

He then sets up the Makefile rules with the following:

.SUFFIXES: .pem .cnf

.cnf.pem:
OPENSSL_CONF=$< openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM
openssl rsa <tempkey.pem > `basename $< .cnf`_key.pem
chmod 400 `basename $< .cnf`_key.pem
OPENSSL_CONF=./usefulCA/openssl.cnf openssl ca -in tempreq.pem -out `basename $< .cnf`_crt.pem
rm -f tempkey.pem tempreq.pem
cat `basename $< .cnf`_key.pem `basename $< .cnf`_crt.pem > $@
chmod 400 $@
ln -sf $@ `openssl x509 -noout -hash < $@`.0

You can also set-up alternate Makefile rules if you want to have the certificate signed by a certificate authority:

.SUFFIXES: .pem .cnf .reqcnf .csr

.reqcnf.csr:

OPENSSL_CONF=$< openssl req -newkey rsa:1024 -keyout `basename $< .reqcnf`.key -keyform PEM -out `basename $< .reqcnf`.csr -outform PEM

This can really speed up the process of managing certificates if you have to do several at a time. David Pashley also wrote a more extensive article about SSL certificate maintenance using your own certificate authority. There are also several other tutorials on how to create your own self-signed certificates.

Low-tech SSL certificate maintenance - [Behind the Times - Edd Dumbill's weblog]

Originally posted on Mon Jun 30, 2008