UniServer CA2: Batch File Details
|
UniServer CA2: Introduction | Client Certificates | Revocation | Batch File Details
|
|
| Uniform Server 5.5-Nano CA Demo |
Portable CA - Batch File Details
The batch files used in UniServer portable CA are not complex and easily modified should you wish to tailor them for your own use.
Real work is performed by OpenSSL the trick is to get the command line syntax correct for running from within a batch file. This page looks at that syntax and provides some additional detail.
Create_CA.bat
This batch file creates your CA (certificate authority) it includes the CA’s private/public key and a repository for new keys.
The following are created in folder UniServer\udrive\plugins\UniServer_CA\CA:
| index.txt | - A text database storing all issued and revoked certificate. |
| serial | – Each signed certificate must have a unique serial number this file tracks that serial |
| certs | – Folder |
| clients | – Folder contains sub-folders for each client contains all associated material. |
| crl | - Folder Contains the new generated control list crl.pem |
| newcerts | - Folder Contains all signed certificates. |
| private | - Folder Contains CA key only |
| requests | - Folder Temporary folder for signing requests. |
| server | - Folder contains all associated material for the server. |
Create CA
The batch file executes this command line to create CA key (ca.key) and certificate (ca.crt).
|
openssl req -config openssl.cnf -new -x509 -days 10950 -sha1 -newkey rsa:1024 -keyout private/ca.key -out ca.crt -subj "/O=%unitO%/OU=%unitOU%" |
Requires a pass phrase for signing and revoking certificates.
Server.bat
This batch file creates server certificate (server.crt) and key (server.key), the certificate is signed by the above CA.
The batch file executes the following command lines:
Create Server Key and Certificate
|
openssl req -new -sha1 -newkey rsa:1024 -nodes -keyout server.key -out request.pem -subj "/O=%unitO%/OU=%unitOU%/CN=%unitCN%" |
Sign certificate
|
openssl ca -config openssl.cnf -days 10950 -policy policy_anything -extensions ssl_server -out requests/signed.pem -infiles requests/request.pem |
Convert to pure pem for Apache
|
openssl x509 -in requests/signed.pem -out requests/server.crt |
Copy files
- copy server\ca.crt ..\..\..\usr\local\apache2\conf\ssl.crt\ca.crt >nul
- copy server\server.crt ..\..\..\usr\local\apache2\conf\ssl.crt\server.crt >nul
- copy server\server.key ..\..\..\usr\local\apache2\conf\ssl.key\server.key >nul
Client.bat
This batch file creates a personal (client) certificate (xxxx.p12) combined certificate and key signed by CA
Note: xxxx is the common name (CN) entered
The batch file executes the following command lines:
Create Client Key and Certificate
|
openssl req -new -sha1 -newkey rsa:1024 -nodes -keyout client.key -out request.pem -subj "/O=%unitO%/OU=%unitOU%/CN=%unitCN%" |
Sign Client Certificate
|
openssl ca -config openssl.cnf -days 3650 -policy policy_anything -extensions ssl_client -out requests/signed.pem -infiles requests/request.pem |
Generate Client Browser Certificate .p12 format
|
openssl pkcs12 -export -clcerts -in requests/signed.pem -inkey client.key -out "%unitCN%.p12" |
All client certificates are found in their named sub-folder in this folder:
- UniServer\plugins\UniServer_CA\CA\clients
Revoke.bat
This batch file revokes a personal (client) certificate (xxxx.p12) using it's unique serial number.
The batch file executes the following command lines:
Revoke Certificate
|
openssl ca -config openssl.cnf -revoke newcerts/%serial%.pem |
Create Control list
|
openssl ca -config openssl.cnf -gencrl -crlexts crl_ext -md sha1 -out crl/crl.pem |
Copy control list to server
- copy crl\crl.pem ..\..\..\usr\local\apache2\conf\ssl.crt\crl.pem >nul
SSL Batch command lines - parameters
Each command line subject takes up to three parameters for example:
-subj "/O=%unitO%/OU=%unitOU%/CN=%unitCN%"
These are either user input or defaults.
Code taken from Create_CA demonstrates this:
rem ## Get user input or use defaults set /p input2= O Organisation Name (eg, company) [%unitO%] : if "%input2%"=="" goto :NOACTION2 set unitO=%input2% :NOACTION2 set /p input3= OU Organisation Unit (eg, section) [%unitOU%] : if "%input3%"=="" goto :NOACTION3 set unitOU=%input3% :NOACTION3
If a user hits enter a default value is used these are defined by this code (placed at the top of a file):
rem *************** Edit ************************* set unitO=UniServer CA set unitOU=Secure Demo CA rem ************** End Edit **********************
Summary
The above shows the correct SSL command line syntax to use for certificate generation and how to pass subject parameters.
That concludes this write-up.