if you need to test Foreman - Smart proxy or Client - Foreman or Client - Smart Proxy HTTPS communication in a dev setup, you might find useful a script which I actually digged on my drive. It can generate CA, server cert and client cert(s) with a single command.
If you found this page, you may be also interested in this more complex alternative GitHub - ehelms/foreman_pki
Also from a quick scan, neither of them adds SAN to the certificate, so modern browsers won’t consider these certificates safe and you’ll be facing warning. If you want a real CA, I had a good results with step-ca open source server — Smallstep — Build Big
That’s of course very different from what this dummyx509 was designed for, just wanted to list more options in a single place.
Actually, I could not get get SAN working, not because of browsers but because openssl was not copying X509 extensions into the certificate. So I removed the alias from the script, I want to keep things simple and not write yet another tool.
I asked on the internal list about the X509 V3 extension issue and I got another tool recommendation:
I’d suggest to use certgen script for this:
It supports very old and new versions of openssl transparently (it works on RHEL-5 and later) as well as creates certificates that are more typical of the public Internet.
to create a set of certificates like you described, run:
wget
https://raw.githubusercontent.com/redhat-qe-security/certgen/master/certgen/lib.sh
&&
source lib.sh
x509KeyGen ca &&
x509KeyGen server &&
x509KeyGen client
x509SelfSign ca &&
x509CertSign --CA ca server --CN [test.example.com](http://test.example.com/) --subjectAltName
DNS=[alias.example.com](http://alias.example.com/) &&
x509CertSign --CA ca -t webclient client
So just for the record, here is another one
Btw I posted it here not because I think my script is awesome, it is a very old dirty script of mine, but because Adam asked on scrum and I saw it the other day when I was searching for something else. Definitely use Erik’s tool that does look like something more useful.
For the record, newest version of OpenSSL will have ability to copy v3 extensions from request to a signed cert. It has been merged recently, it is not even in Fedora yet.
I think you saw my tech-list communication, but for the record: