This script does a number of things to provision a simple self-signed mTLS installation:
-
1 Creates a self-signed Root Certification Authority (CA)
-
2 Creates an Intermediate Certification Authority (CA) signed by the Root CA
-
3 Creates a Server certificate, issued by the Intermediate CA
-
4 Creates client certificates from CSR files
Although a self-signed intermediateCA might be overkill, this is how the larger PKCS systems operate. Should a key get compromised, or a security issue with a root certificate arise, just the intermediateCA and all child certificates need to be re-issued (rather than everything back to the root level).
mTLS authentication requires certificates on both client and server in order to operate. Many small firms don't have a PKCS infrastructure in place, and therefore need to create self-signed certificates using their own Certification Authority (CA) - (also created as part of this process).
The scripts in this directory can automate the creation of the certificates.
- gawk required for parsing ini files
- BASH version > 3.2 (see troubleshooting below, OSX requires a newer bash install than the default)
- Create a
certificate.inifile from the template - Ensure that secure passwords > 6 characters are used for both the
caandserverentries
Once the script below has been run, a new named subdirectory will be created, with both the CA certificates and the Server cert / truststore.
create_server_cert.sh
The following two files in the named directory should be used for the gateway installation:
myserver.pfx, truststore.jks
Clients who want to connect with mTLS, will need a certificate issued and signed by our server. Clients should provide a Certificate Signing Request (CSR) file which should then be supplied to the script below. This will produce a client cert.
create-client-cert.sh <csr_file>Example:
Signature ok
subject=C = US, ST = New York, L = New York City, O = Megacorp Client LLC, OU = IT Department, CN = megacorp.client1, emailAddress = root@megacorpclient.com
The client certificate can be found in the client subdirectory, with the name client.crt.
declare: usage: declare [-afFirtx] [-p] [name[=value] ...]
Upgrade your version of BASH - OSX in particular comes installed with a very old version unlikely to be upgraded.
brew install bash
Note, this doesn't replace the pre-installed version of bash, so won't affect other scripts. New bash will be installed in /usr/local/bin. see article Upgrading bash on OSX
Thanks to Sleepless Beastie for the helpful ini parsing code
Jon Jenkins 01/08/2021