Creating certificates with a script
Written by Florian Riedl (2019-09-12)
Overview
This small article describes is a quick addon to the TLS guides. It describes in short words, how you can create some quick and dirty certificates for testing.
Disclaimer: When creating certificates with the attached scripts and more or less default configurations, you cannot create secure certificates. You need to use more detailed configuration files to create secure certificates.
Description
We created a few simple scripts and added configuration files from the sample
configuration in the certtool man page. You can download them here: Download Scripts.
The tarball contains 6 files, 3 scripts and 3 configurations. To execute, you must make the scripts executable and have certtool installed via libgnutls.
Script 1 creates the CA key and certificate as outlined in Setting up the CA
Script 2 creates the machine key and certificate for a client.
Script 3 creates the machine key and certificate for a server.
These scripts can easily be combined into one. But, we decided to go for separate scripts so each step can be repeated separately if needed.
After the scripts are executed, you should have 2 new files per script. Distribute the files to the machines as described before.
Example
Apart from executing the scripts, no extra input is required. All input from manual certificate creating can be done automatically via the configuration template in the cfg files.
Sample output for the CA certificate generation.
test@ubuntu:~/Documents$ ./1-generate-ca.sh
** Note: Please use the --sec-param instead of --bits
Generating a 2048 bit RSA private key...
Generating a self signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 5d7a6351
Validity:
Not Before: Thu Sep 12 15:25:05 UTC 2019
Not After: Sun Sep 09 15:25:05 UTC 2029
Subject: C=US,O=Example,OU=Example,CN=CA-Cert
Subject Public Key Algorithm: RSA
Certificate Security Level: Low
Modulus (bits 2048):
00:95:28:40:b6:4d:60:7c:cf:72:1d:17:36:b5:f1:11
0d:42:05:e9:38:c7:6e:95:d9:42:02:c5:4b:f2:9d:e2
c8:31:ac:18:ae:55:f7:e0:4c:dd:6d:72:32:01:fa:1d
da:a1:3d:ad:c9:13:0a:68:3e:bc:40:6a:1e:f2:f7:65
f0:e9:64:fa:84:8b:96:15:b5:10:f3:99:29:14:ee:fc
88:8d:41:29:8e:c7:9b:23:df:8b:a3:79:28:56:ed:27
66:a4:9a:fa:75:47:67:0a:e2:f4:35:98:e8:9e:ad:35
c2:b2:17:8b:98:72:c4:30:58:fd:13:b6:f4:01:d0:66
56:be:61:85:55:dc:91:b6:4e:0a:3f:d4:3f:40:fa:a8
92:5e:c5:dd:75:da:c3:27:33:59:43:47:74:fe:d2:28
14:49:62:ee:39:22:34:6b:2f:e8:d1:ba:e9:95:6d:29
d2:6f:8a:a2:fc:c8:da:f0:47:78:3b:2c:03:dc:fb:43
31:9e:a1:cb:11:18:b9:0b:31:d3:86:43:68:f8:c4:bd
ab:90:13:33:75:e9:b5:ca:74:c3:83:98:e9:91:3d:39
fb:65:43:77:0b:b2:bc:3b:33:c2:91:7e:db:c3:a2:a1
80:0b:a0:ce:cb:34:29:8b:24:52:25:aa:eb:bd:40:34
cb
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Usage (critical):
Certificate signing.
Subject Key Identifier (not critical):
6bbe9a650dbcaf5103c78daf8a2604d76a749f42
Other Information:
Public Key Id:
6bbe9a650dbcaf5103c78daf8a2604d76a749f42
Signing certificate...
Sample output for the machine certificate generation.
test@ubuntu:~/Documents$ ./2-generate-client.sh
** Note: Please use the --sec-param instead of --bits
Generating a 2048 bit RSA private key...
Generating a PKCS #10 certificate request...
Generating a signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 5d7a6402
Validity:
Not Before: Thu Sep 12 15:28:02 UTC 2019
Not After: Sun Sep 09 15:28:02 UTC 2029
Subject: C=US,O=Example,OU=Example,CN=Test Client
Subject Public Key Algorithm: RSA
Certificate Security Level: Low
Modulus (bits 2048):
00:bd:7f:0b:20:2e:fe:f1:49:91:71:fa:f1:72:76:6b
c0:96:ce:e0:85:80:a3:6a:d2:9e:07:dd:02:94:4f:df
c8:34:13:7d:d1:8f:b8:1b:1f:cf:b8:b7:ae:2f:dd:9a
da:52:6e:a3:f4:73:20:63:32:46:c2:e1:94:73:6b:cd
b4:e4:82:46:25:b0:62:f9:12:28:4f:4f:76:23:5c:47
1b:f9:61:cd:68:c1:c1:17:93:90:3c:d2:2b:6e:82:c2
a3:ca:80:b7:89:6e:b6:16:ae:47:05:e5:b4:07:bf:75
d9:bd:aa:fe:79:77:72:6e:af:ed:5b:97:d1:e0:00:ba
ab:6f:9e:1f:a6:d4:95:d7:d3:39:88:9b:58:88:28:a0
7e:b6:fe:07:7e:68:ad:a1:d0:23:12:3d:96:b2:a8:8e
73:66:c0:4f:10:a0:e5:9e:ab:2a:37:1d:83:b1:c3:e5
7c:35:cc:20:05:7c:7e:41:89:f1:b3:6b:e4:00:f2:bc
0b:08:55:07:b3:67:e4:14:1c:3c:64:1b:92:2d:d7:f0
f7:d4:dc:d7:63:1e:fd:e4:98:bc:6b:f1:1a:a9:af:05
7a:94:52:f5:b5:36:f0:0c:c0:41:0a:39:b7:fb:b3:50
c1:ce:ee:24:56:61:77:9d:9e:e1:d0:e1:39:f0:cc:b6
29
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Client.
TLS WWW Server.
Subject Key Identifier (not critical):
5a1a7316c4594cafafbeb45ddb49623af3a9f231
Authority Key Identifier (not critical):
6bbe9a650dbcaf5103c78daf8a2604d76a749f42
Other Information:
Public Key Id:
5a1a7316c4594cafafbeb45ddb49623af3a9f231
Signing certificate...
Be sure to safeguard ca-key.pem! Nobody except the CA itself needs to have it. If some third party obtains it, you security is broken!
See also
Help with configuring/using Rsyslog:
Mailing list - best route for general questions
GitHub: rsyslog source project - detailed questions, reporting issues that are believed to be bugs with
Rsyslog
See also
Contributing to Rsyslog:
Source project: rsyslog project README.
Documentation: rsyslog-doc project README
Copyright 2008-2023 Rainer Gerhards (Großrinderfeld), and Others.