cstockton/Makefile

## ca_slash_ca.cnf
[ ca ]
default_ca  = CA_default

[ CA_default ]
default_days     = 7300
default_crl_days = 30
preserve         = no
x509_extensions  = ca_extensions
email_in_dn      = no
copy_extensions  = copy
certificate      = ca/ca.pem

[ req ]
default_bits        = 4096
default_keyfile     = cakey.pem
distinguished_name  = ca_distinguished_name
x509_extensions     = ca_extensions
string_mask         = utf8only

[ ca_distinguished_name ]
countryName                    = Country Name (2 letter code)
countryName_default            = <SED>
stateOrProvinceName            = State or Province Name (full name)
stateOrProvinceName_default    = <SED>
localityName                   = Locality Name (eg, city)
localityName_default           = <SED>
organizationName               = Organization Name (eg, company)
organizationName_default       = <SED>
organizationalUnitName         = Organizational Unit (eg, division)
organizationalUnitName_default = <SED>
commonName                     = Common Name (e.g. server FQDN or YOUR name)
commonName_default             = ca.test
emailAddress                   = Email Address
emailAddress_default           = <SED>@<SED>

[ ca_extensions ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign

## Makefile
# Certs are for local testing.
certs := api.test api01.test api02.test api03.test \
  server.test server01.test server02.test server03.test \
  client.test  client1.test client2.test client3.test

.PHONY: all
all: | $(foreach c,$(certs),$(addprefix certs/,$(c)).crt)
	# destroy private CA key immediately after make completes so it can be
	# trusted for local dev.
	test -f ca/ca.key && shred -uz -n 1024 ca/ca.key || true
	@command -v tree >/dev/null 2>&1 && tree

.PHONY: clean
clean:
	rm -rf pfx keys certs ca/ca.{crt,srl,key}

ca/ca.crt: ca/ca.cnf
	openssl req -new -x509 -nodes \
		-config $(^) \
		-days 7300 \
		-subj "/C=<SED>/ST=<SED>/L=<SED>/O=<SED>/OU=<SED>/CN=ca.test" \
		-sha256 \
		-keyout ca/ca.key -out ca/ca.crt

keys:
	mkdir -p keys

pfx:
	mkdir -p pfx

certs: keys
	mkdir -p certs

certs/%.crt: | ca/ca.crt certs pfx keys
	openssl req \
		-new -nodes \
		-config ca/ca.cnf \
		-subj "/C=<SED>/ST=<SED>/L=<SED>/O=<SED>/OU=<SED>/CN=$(*)" \
		-keyout keys/$(*).key \
		-out certs/$(*).csr
	openssl req \
		-noout -text -in certs/$(*).csr
	openssl x509 \
		-req \
		-CA ca/ca.crt \
		-CAkey ca/ca.key \
		-CAcreateserial \
		-CAserial ca/ca.srl \
		-days 7300 \
		-sha256 \
		-in certs/$(*).csr \
		-out certs/$(*).crt
	rm certs/$(*).csr
	openssl x509 \
		-noout -text -in certs/$(*).crt
	openssl verify -CAfile ca/ca.crt certs/$(*).crt
	openssl pkcs12 \
		-export \
		-out pfx/$(*).pfx \
		-inkey keys/$(*).key \
		-in certs/$(*).crt \
		-certfile ca/ca.crt \
		-passout pass:pass
	[ ca ]
	default_ca = CA_default

	[ CA_default ]
	default_days = 7300
	default_crl_days = 30
	preserve = no
	x509_extensions = ca_extensions
	email_in_dn = no
	copy_extensions = copy
	certificate = ca/ca.pem

	[ req ]
	default_bits = 4096
	default_keyfile = cakey.pem
	distinguished_name = ca_distinguished_name
	x509_extensions = ca_extensions
	string_mask = utf8only

	[ ca_distinguished_name ]
	countryName = Country Name (2 letter code)
	countryName_default = <SED>
	stateOrProvinceName = State or Province Name (full name)
	stateOrProvinceName_default = <SED>
	localityName = Locality Name (eg, city)
	localityName_default = <SED>
	organizationName = Organization Name (eg, company)
	organizationName_default = <SED>
	organizationalUnitName = Organizational Unit (eg, division)
	organizationalUnitName_default = <SED>
	commonName = Common Name (e.g. server FQDN or YOUR name)
	commonName_default = ca.test
	emailAddress = Email Address
	emailAddress_default = <SED>@<SED>

	[ ca_extensions ]
	subjectKeyIdentifier=hash
	authorityKeyIdentifier=keyid:always, issuer
	basicConstraints = critical, CA:true
	keyUsage = keyCertSign, cRLSign
	# Certs are for local testing.
	certs := api.test api01.test api02.test api03.test \
	server.test server01.test server02.test server03.test \
	client.test client1.test client2.test client3.test

	.PHONY: all
	all: \| $(foreach c,$(certs),$(addprefix certs/,$(c)).crt)
	# destroy private CA key immediately after make completes so it can be
	# trusted for local dev.
	test -f ca/ca.key && shred -uz -n 1024 ca/ca.key \|\| true
	@command -v tree >/dev/null 2>&1 && tree

	.PHONY: clean
	clean:
	rm -rf pfx keys certs ca/ca.{crt,srl,key}

	ca/ca.crt: ca/ca.cnf
	openssl req -new -x509 -nodes \
	-config $(^) \
	-days 7300 \
	-subj "/C=<SED>/ST=<SED>/L=<SED>/O=<SED>/OU=<SED>/CN=ca.test" \
	-sha256 \
	-keyout ca/ca.key -out ca/ca.crt

	keys:
	mkdir -p keys

	pfx:
	mkdir -p pfx

	certs: keys
	mkdir -p certs

	certs/%.crt: \| ca/ca.crt certs pfx keys
	openssl req \
	-new -nodes \
	-config ca/ca.cnf \
	-subj "/C=<SED>/ST=<SED>/L=<SED>/O=<SED>/OU=<SED>/CN=$(*)" \
	-keyout keys/$(*).key \
	-out certs/$(*).csr
	openssl req \
	-noout -text -in certs/$(*).csr
	openssl x509 \
	-req \
	-CA ca/ca.crt \
	-CAkey ca/ca.key \
	-CAcreateserial \
	-CAserial ca/ca.srl \
	-days 7300 \
	-sha256 \
	-in certs/$(*).csr \
	-out certs/$(*).crt
	rm certs/$(*).csr
	openssl x509 \
	-noout -text -in certs/$(*).crt
	openssl verify -CAfile ca/ca.crt certs/$(*).crt
	openssl pkcs12 \
	-export \
	-out pfx/$(*).pfx \
	-inkey keys/$(*).key \
	-in certs/$(*).crt \
	-certfile ca/ca.crt \
	-passout pass:pass