# $Id$ # # The author disclaims all copyrights and releases this document into # the public domain. # # Rules to assist in generation and management of TLS keys and # certificates. These include: # # make csr creates "certificate signing request" for a CA # make self creates self-signed certificate # make rsa generates RSA key (above rules more practical) # make fingerprint shows checksum of certificate file (if any). # default filename to use; override on command line using the # following syntax: # make csr file=someotherkeyfilename file=host OPENSSL=openssl # set to '-rand file:file2' to bring in other random data sources # for key generation if see the following error message: # "warning, not much extra random data, consider using the -rand option" # example usage: # make csr RAND="-rand /tmp/file1" RAND= # how many days self-signed/temp keys should be good for DURATION=356 KEYFILE=$(file).key CERTFILE=$(file).cert CSRFILE=$(file).csr # how many bits RSA keys should be BITS=1024 ###################################################################### # # RULES # certificate signing request (for when obtaining cert from third-party # Certificate Authority) csr: $(KEYFILE) $(CSRFILE) $(CSRFILE): @$(OPENSSL) req -new -key $(KEYFILE) -out $@ # for temporary certificate until real one comes back from CA temp: $(KEYFILE) $(CSRFILE) @$(OPENSSL) x509 -req -days $(DURATION) -signkey $(KEYFILE) \ < $(CSRFILE) > $(CERTFILE) # creates simple self-signed certificate from keyfile (usually better to # use a certificate authority (even your own)). self: rsa $(CERTFILE) $(CERTFILE): @$(OPENSSL) req -new -x509 -nodes -key $(KEYFILE) -days $(DURATION) \ -sha1 > $@ # private RSA key. mode protection by default for security reasons. rsa: $(KEYFILE) $(KEYFILE): @$(OPENSSL) genrsa $(RAND) $(BITS) > $@ @chmod 400 $@ # prints checksum of certificate file for verification purposes # pipe to "sed 's/.*=//'" to remove "MD5 Fingerprint" bit. fingerprint: @$(OPENSSL) x509 -fingerprint -noout < $(CERTFILE)