DummyX509: A script for X509 certs

lzap · March 22, 2021, 3:26pm

Hey,

if you need to test Foreman - Smart proxy or Client - Foreman or Client - Smart Proxy HTTPS communication in a dev setup, you might find useful a script which I actually digged on my drive. It can generate CA, server cert and client cert(s) with a single command.

Have fun!

Marek_Hulan · March 23, 2021, 8:46am

If you found this page, you may be also interested in this more complex alternative GitHub - ehelms/foreman_pki

Also from a quick scan, neither of them adds SAN to the certificate, so modern browsers won’t consider these certificates safe and you’ll be facing warning. If you want a real CA, I had a good results with step-ca open source server — Smallstep — Build Big

That’s of course very different from what this dummyx509 was designed for, just wanted to list more options in a single place.

ekohl · March 23, 2021, 9:50am

I inherited this script from @iNecas which has the same purpose:

lzap · March 23, 2021, 2:36pm

Actually, I could not get get SAN working, not because of browsers but because openssl was not copying X509 extensions into the certificate. So I removed the alias from the script, I want to keep things simple and not write yet another tool.

I asked on the internal list about the X509 V3 extension issue and I got another tool recommendation:

I’d suggest to use certgen script for this:

It supports very old and new versions of openssl transparently (it works on RHEL-5 and later) as well as creates certificates that are more typical of the public Internet.

to create a set of certificates like you described, run:

wget
https://raw.githubusercontent.com/redhat-qe-security/certgen/master/certgen/lib.sh
&&
source lib.sh

x509KeyGen ca &&
x509KeyGen server &&
x509KeyGen client

x509SelfSign ca &&
x509CertSign --CA ca server --CN [test.example.com](http://test.example.com/) --subjectAltName
DNS=[alias.example.com](http://alias.example.com/) &&
x509CertSign --CA ca -t webclient client

So just for the record, here is another one

Btw I posted it here not because I think my script is awesome, it is a very old dirty script of mine, but because Adam asked on scrum and I saw it the other day when I was searching for something else. Definitely use Erik’s tool that does look like something more useful.

ekohl · March 23, 2021, 2:44pm

I saw the same thing:

lzap · March 23, 2021, 2:51pm

For the record, newest version of OpenSSL will have ability to copy v3 extensions from request to a signed cert. It has been merged recently, it is not even in Fedora yet.

I think you saw my tech-list communication, but for the record:

tbrisker · March 24, 2021, 1:17pm

The obligatory XKCD:

Seems every person has their own tool they use. would it make sense to unify on one of them and collaborate on it?