{"id":19336731,"url":"https://github.com/samrocketman/my_internal_ca","last_synced_at":"2025-07-13T22:07:13.183Z","repository":{"id":14782850,"uuid":"17504710","full_name":"samrocketman/my_internal_ca","owner":"samrocketman","description":"A set of basic scripts for managing an internal certificate authority.","archived":false,"fork":false,"pushed_at":"2025-01-04T03:35:01.000Z","size":51,"stargazers_count":23,"open_issues_count":0,"forks_count":3,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-23T01:35:22.495Z","etag":null,"topics":["certificate-authorities","certificate-authority","subject-alternative-name","tls","tls-certificate-management"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/samrocketman.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2014-03-07T06:12:29.000Z","updated_at":"2025-04-06T08:20:53.000Z","dependencies_parsed_at":"2024-06-21T15:57:02.568Z","dependency_job_id":"48f39b10-4c09-44d8-a0a2-77185fd60741","html_url":"https://github.com/samrocketman/my_internal_ca","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/samrocketman/my_internal_ca","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samrocketman%2Fmy_internal_ca","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samrocketman%2Fmy_internal_ca/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samrocketman%2Fmy_internal_ca/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samrocketman%2Fmy_internal_ca/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/samrocketman","download_url":"https://codeload.github.com/samrocketman/my_internal_ca/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samrocketman%2Fmy_internal_ca/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265212424,"owners_count":23728533,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate-authorities","certificate-authority","subject-alternative-name","tls","tls-certificate-management"],"created_at":"2024-11-10T03:12:11.865Z","updated_at":"2025-07-13T22:07:13.094Z","avatar_url":"https://github.com/samrocketman.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# My Internal Certificate Authority\n\nI use this lightweight set of scripts to manage my own internal certificate\nauthority.  I share them with you.  My scripts are based off of\n[Be your own CA][yourca_tut] and [Docker CA][docker_ca].\n\nFeatures:\n\n* Manage a personal certificate authority.\n* Server SAN certificates ([Subject Alternative Name][wiki_san]).\n* Client certificates for TLS [mutual authentication][wiki_ma].\n* Create Java keystores from the X.509 certificates.\n\n# How to set up\n\nSystem requirements\n\n* GNU/Linux (other platforms untested)\n* openssl tools installed\n\n### Create the CA\n\nExecute `setup_ca.sh` from the current directory of the repository.  When\nexecuted this will do a few things.  It will create the openssl `myCA` directory\nstructure for a managed certificate authority.  All certificate authority\ninformation and management will be located within the `myCA` directory.\n\n    ./setup_ca.sh\n\nCustomize the subject.\n\n    ./setup_ca.sh -subj '/C=US/ST=Pennsylvania/L=Philadelphia/O=Example Domain/OU=Systems/CN=Super Root CA'\n\n### Environment variables\n\n* `CERT_DIR` - the directory where the certificate authority certificates and\n  other client/server certificates are output.\n* `REQ_OPTS` - additional opts to pass to the `openssl req` command in a script.\n\ne.g.\n\n    CERT_DIR=\"/tmp/myCA\" ./setup_ca.sh\n\n### Sign new certificates\n\n    #server certificates\n    ./server_cert.sh example.com\n    #client certificates\n    ./client_cert.sh me@example.com\n\nA new signed certificate will be placed in `./myCA/certs/` and the private key\nwill be in `./myCA/private/`.\n\nIssue a wildcard certificate.\n\n    bash -f ./server_cert.sh '*.example.com'\n\n### Revoke certificates\n\n    ./revoke_cert.sh example.com\n\nA new certificate revocation list (crl) will be generated.  The latest is stored\nin `./myCA/crl.pem` and any previously published CRLs can be viewed at\n`./myCA/crl/crl_*.pem`.  A backup of the certificate and key will be maintained\nin `./myCA/backup` which is autocreated.  The revoked certificate will be\nremoved from `./myCA/certs` and the key will be removed from `./myCA/private`.\n\n### Generate a java keystore from certificates\n\n    ./keystore.sh example.com\n\nYou will be prompted for a password by the script.  That password will set the\njava keystore password.\n\n# Customization via .env file\n\nYou can populate a `.env` file to customize some of the options.  You can change\nthe behavior of scripts based environment variables set.  The following is an\nexample.\n\n```bash\n# lan_server.sh\nLAN=192.168.1\n\n# server_cert.sh\nSERVER_EXPIRE_DAYS=397\n\n# setup_ca.sh\nCA_CERT_NAME=\"Local Certificate Authority\"\nCA_CERT_ORG=\"Gleske Internal\"\nCA_CERT_ORG_UNIT=Systems\nCA_CERT_CITY=\"Garden Grove\"\nCA_CERT_STATE=California\nCA_CERT_COUNTRY=US\n# 20 years\nCA_CERT_EXPIRE_DAYS=7300\n\n# all scripts\nREQ_OPTS=\"-batch -nodes\"\nCERT_DIR=./myCA\n```\n\n# Security recommendations\n\nHere's a few security tips if you've not managed a personal certificate\nauthority before.\n\n* Keep your certificate authority offline.  For example, store it on an\n  encrypted flash drive and disconnect it from your computer when you don't need\n  to create certificates.\n* If nobody else is accessing a service except you, then a personal certificate\n  authority is arguably more trustworthy than a third party.  Install your\n  personal CA in your browsers and devices to use.\n* Publish your certificate revocation list in a place where your browsers and\n  devices can access it.\n* Do not issue certificates longer than 398 days otherwise Apple devices will\n  not recognize the certificate as valid.  The default issuance has been\n  reduced from 2 years down to 397 days.  The expiration is configurable.\n\n# Additional information and alternatives\n\n### Private CA Alternatives\n\nUsing self signed certificates is always a bad idea. It's far more secure to\nself manage a certificate authority than it is to use self signed certificates.\nRunning a certificate authority is easy.\n\nIn addition to the scripts in this repository, here is a short recommended list\nof scripts and resources for managing a certificate authority.\n\n1. The [xca project][xca] provides a graphical front end to certificate\n   authority management in openssl.  It is available for Windows, Linux, and Mac\n   OS.\n2. The OpenVPN project provides a nice [set of scripts][ovpn_scripts] for\n   managing a certificate authority as well.\n3. [Be your own CA][yourca_tut] tutorial provides a more manual method of\n   certificate authority management outside of scripts or UI.  It provides\n   openssl commands for certificate authority management.  Additionaly, one can\n   read up on certificate management in the [SSL Certificates HOWTO][tldp_certs]\n   at The Linux Documentation Project.\n4. Use my scripts in this repository which is based on option `3` in this list.\n   Supports server certs only.\n5. Use [certificate-automation][cert_auto] which is similar to these scripts\n   organized slightly differently.  Supports client certs as well.\n\nOnce a certificate authority is self managed simply add the CA certificate to\nall browsers and mobile devices. Enjoy secure and validated certificates\neverywhere.\n\n### Public CA Alternatives\n\nIf a service you manage is designated for public access then self managing a\ncertificate authority may not be the best option.  Signed Domain Validated (DV)\ncertificates should still be the preferred method to secure your public service.\n\n1. [CAcert.org][cacert] is a community driven certificate authority which\n   provides free SSL certificates.  Note:  See the [inclusion\n   page][cacert_inclusion] to see which applications and distros\n   include the cacert.org root certificates.\n2. [Let's Encrypt][lets_encrypt] is a free, automated, and open Certificate\n   Authority.\n\n[cacert]: http://www.cacert.org/\n[cacert_inclusion]: http://wiki.cacert.org/InclusionStatus\n[cert_auto]: https://github.com/berico-rclayton/certificate-automation\n[docker_ca]: https://docs.docker.com/engine/security/https/\n[lets_encrypt]: https://letsencrypt.org/\n[ovpn_scripts]: http://openvpn.net/index.php/open-source/documentation/howto.html#pki\n[tldp_certs]: http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/x195.html\n[wiki_ma]: https://en.wikipedia.org/wiki/Mutual_authentication\n[wiki_san]: https://en.wikipedia.org/wiki/Subject_Alternative_Name\n[xca]: http://sourceforge.net/projects/xca/\n[yourca_tut]: http://www.g-loaded.eu/2005/11/10/be-your-own-ca/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamrocketman%2Fmy_internal_ca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsamrocketman%2Fmy_internal_ca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamrocketman%2Fmy_internal_ca/lists"}