Creating a Complete Certificate Authority Infrastructure with Shell Scripting

Table of Contents#

Overview#

Managing certificates in a development or internal infrastructure environment can be complex. This guide presents a robust shell script that automatically sets up a complete PKI (Public Key Infrastructure) with a three-tier certificate hierarchy: Root CA → Intermediate CA → Server Certificates.

Architecture#

The certificate hierarchy follows industry best practices:

1
graph TD
2
    A[Root CA] -->|Signs| B[Intermediate CA]
3
    B -->|Signs| C[Server Certificate 1]
4
    B -->|Signs| D[Server Certificate 2]
5
    B -->|Signs| E[Server Certificate N]
6

7
    style A fill:#ff6b6b,stroke:#c92a2a,stroke-width:2px
8
    style B fill:#4ecdc4,stroke:#087f5b,stroke-width:2px
9
    style C fill:#95d3ff,stroke:#1971c2,stroke-width:2px
10
    style D fill:#95d3ff,stroke:#1971c2,stroke-width:2px
11
    style E fill:#95d3ff,stroke:#1971c2,stroke-width:2px

Directory Structure#

The script creates a well-organized directory structure:

1
graph TD
2
    A[ca/] --> B[root-ca/]
3
    A --> C[intermediate-ca/]
4
    A --> D[certs/]
5
    A --> E[private/]
6
    A --> F[crl/]
7
    A --> G[csr/]
8

9
    B --> H[root-ca.crt]
10
    C --> I[intermediate-ca.crt]
11
    D --> J[Server Certificates]
12
    E --> K[Private Keys]
13
    F --> L[Revocation Lists]
14
    G --> M[Signing Requests]
15

16
    style A fill:#f8f9fa,stroke:#495057,stroke-width:2px
17
    style E fill:#ffe3e3,stroke:#c92a2a,stroke-width:2px

Complete Setup Script#

1
#!/bin/bash
2
# create-ca.sh - Script to create a Certificate Authority and generate certificates
3

4
# Create directory structure
5
mkdir -p ca/{root-ca,intermediate-ca,certs,private,crl,csr}
6
chmod 700 ca/private
7

8
# Create root CA configuration file
9
cat > ca/root-ca.conf << EOL
10
[ req ]
11
default_bits = 4096
12
default_md = sha256
13
prompt = no
14
encrypt_key = yes
15
distinguished_name = req_distinguished_name
16
x509_extensions = v3_ca
17
[ req_distinguished_name ]
18
countryName = US
19
stateOrProvinceName = YourState
20
localityName = YourCity
21
organizationName = YourOrganization
22
organizationalUnitName = YourUnit
23
commonName = YourCompany Root CA
24
emailAddress = admin@yourcompany.com
25
[ v3_ca ]
26
subjectKeyIdentifier = hash
27
authorityKeyIdentifier = keyid:always,issuer:always
28
basicConstraints = critical, CA:true
29
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
30
EOL
31

32
# Create intermediate CA configuration
33
cat > ca/intermediate-ca.conf << EOL
34
[ req ]
35
default_bits = 4096
36
default_md = sha256
37
prompt = no
38
encrypt_key = yes
39
distinguished_name = req_distinguished_name
40
x509_extensions = v3_intermediate_ca
41
[ req_distinguished_name ]
42
countryName = US
43
stateOrProvinceName = YourState
44
localityName = YourCity
45
organizationName = YourOrganization
46
organizationalUnitName = YourUnit
47
commonName = YourCompany Intermediate CA
48
emailAddress = admin@yourcompany.com
49
[ v3_intermediate_ca ]
50
subjectKeyIdentifier = hash
51
authorityKeyIdentifier = keyid:always,issuer:always
52
basicConstraints = critical, CA:true, pathlen:0
53
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
54
EOL
55

56
# Create server certificate configuration
57
cat > ca/server-cert.conf << EOL
58
[ req ]
59
default_bits = 2048
60
default_md = sha256
61
prompt = no
62
encrypt_key = no
63
distinguished_name = req_distinguished_name
64
req_extensions = v3_req
65
[ req_distinguished_name ]
66
countryName = US
67
stateOrProvinceName = YourState
68
localityName = YourCity
69
organizationName = YourOrganization
70
organizationalUnitName = YourUnit
71
commonName = your-domain.com
72
emailAddress = admin@yourcompany.com
73
[ v3_req ]
74
basicConstraints = CA:FALSE
75
keyUsage = critical, digitalSignature, keyEncipherment
76
extendedKeyUsage = serverAuth, clientAuth
77
subjectAltName = @alt_names
78
[ alt_names ]
79
DNS.1 = your-domain.com
80
DNS.2 = *.your-domain.com
81
DNS.3 = localhost
82
IP.1 = 127.0.0.1
83
EOL
84

85
# Function to generate Root CA
86
generate_root_ca() {
87
    echo "Generating Root CA..."
88

89
    # Generate Root CA private key
90
    openssl genrsa -aes256 -out ca/private/root-ca.key 4096
91
    chmod 400 ca/private/root-ca.key
92

93
    # Generate Root CA certificate
94
    openssl req -config ca/root-ca.conf \
95
        -key ca/private/root-ca.key \
96
        -new -x509 -days 7300 \
97
        -sha256 -extensions v3_ca \
98
        -out ca/root-ca/root-ca.crt
99
}
100

101
# Function to generate Intermediate CA
102
generate_intermediate_ca() {
103
    echo "Generating Intermediate CA..."
104

105
    # Generate Intermediate CA private key
106
    openssl genrsa -aes256 -out ca/private/intermediate-ca.key 4096
107
    chmod 400 ca/private/intermediate-ca.key
108

109
    # Generate Intermediate CA CSR
110
    openssl req -config ca/intermediate-ca.conf \
111
        -new -sha256 \
112
        -key ca/private/intermediate-ca.key \
113
        -out ca/csr/intermediate-ca.csr
114

115
    # Sign Intermediate CA certificate with Root CA
116
    openssl x509 -req \
117
        -in ca/csr/intermediate-ca.csr \
118
        -CA ca/root-ca/root-ca.crt \
119
        -CAkey ca/private/root-ca.key \
120
        -CAcreateserial \
121
        -out ca/intermediate-ca/intermediate-ca.crt \
122
        -days 3650 \
123
        -sha256 \
124
        -extfile ca/intermediate-ca.conf \
125
        -extensions v3_intermediate_ca
126
}
127

128
# Function to generate server certificate
129
generate_server_cert() {
130
    local domain=$1
131
    echo "Generating server certificate for $domain..."
132

133
    # Replace domain in config
134
    sed -i "s/your-domain.com/$domain/g" ca/server-cert.conf
135

136
    # Generate server private key
137
    openssl genrsa -out ca/private/$domain.key 2048
138
    chmod 400 ca/private/$domain.key
139

140
    # Generate server CSR
141
    openssl req -config ca/server-cert.conf \
142
        -key ca/private/$domain.key \
143
        -new -sha256 -out ca/csr/$domain.csr
144

145
    # Sign server certificate with Intermediate CA
146
    openssl x509 -req \
147
        -in ca/csr/$domain.csr \
148
        -CA ca/intermediate-ca/intermediate-ca.crt \
149
        -CAkey ca/private/intermediate-ca.key \
150
        -CAcreateserial \
151
        -out ca/certs/$domain.crt \
152
        -days 365 \
153
        -sha256 \
154
        -extfile ca/server-cert.conf \
155
        -extensions v3_req
156

157
    # Create certificate chain file
158
    cat ca/certs/$domain.crt \
159
        ca/intermediate-ca/intermediate-ca.crt \
160
        ca/root-ca/root-ca.crt > ca/certs/$domain.chain.crt
161
}
162

163
# Main execution
164
echo "Starting CA setup..."
165
generate_root_ca
166
generate_intermediate_ca
167

168
# Example usage for generating server certificate
169
# Uncomment and modify domain as needed
170
# generate_server_cert "example.com"
171

172
echo "CA setup complete!"
173
echo "Root CA certificate: ca/root-ca/root-ca.crt"
174
echo "Intermediate CA certificate: ca/intermediate-ca/intermediate-ca.crt"
175
echo "Generated certificates will be in ca/certs/"

Security Best Practices#

1. Private Key Protection#

1
graph LR
2
    A[Private Keys] --> B{Access Control}
3
    B --> C[chmod 400]
4
    B --> D[Encrypted Storage]
5
    B --> E[Secure Backup]
6

7
    C --> F[Read-only by owner]
8
    D --> G[AES-256 encryption]
9
    E --> H[Offline storage]
10

11
    style A fill:#ffe3e3,stroke:#c92a2a,stroke-width:2px
12
    style B fill:#fff3cd,stroke:#856404,stroke-width:2px

2. Certificate Lifecycle#

1
sequenceDiagram
2
    participant U as User
3
    participant S as Script
4
    participant RCA as Root CA
5
    participant ICA as Intermediate CA
6
    participant SC as Server Cert
7

8
    U->>S: Run script
9
    S->>RCA: Generate Root CA (20 years)
10
    RCA->>ICA: Sign Intermediate CA (10 years)
11
    ICA->>SC: Sign Server Cert (1 year)
12
    SC->>U: Certificate chain ready
13

14
    Note over SC: Regular renewal needed
15
    Note over ICA: Medium-term validity
16
    Note over RCA: Long-term offline storage

Usage Examples#

Basic Certificate Generation#

1
# Make script executable
2
chmod +x create-ca.sh
3

4
# Run the setup
5
./create-ca.sh
6

7
# Generate a server certificate
8
generate_server_cert "api.example.com"

Advanced Usage#

1
# Generate multiple certificates
2
for domain in api.example.com web.example.com admin.example.com; do
3
    generate_server_cert "$domain"
4
done
5

6
# Verify certificate chain
7
openssl verify -CAfile ca/root-ca/root-ca.crt \
8
    -untrusted ca/intermediate-ca/intermediate-ca.crt \
9
    ca/certs/api.example.com.crt

Security Considerations#

Key Storage Architecture#

1
graph TD
2
    A[CA Infrastructure] --> B[Online Components]
3
    A --> C[Offline Components]
4

5
    B --> D[Intermediate CA Key]
6
    B --> E[Server Private Keys]
7

8
    C --> F[Root CA Key]
9
    C --> G[Backup Keys]
10

11
    D --> H[HSM/Secure Server]
12
    E --> I[Production Servers]
13

14
    F --> J[Air-gapped Storage]
15
    G --> K[Safe/Vault]
16

17
    style C fill:#d0f0c0,stroke:#5cb85c,stroke-width:2px
18
    style F fill:#ff6b6b,stroke:#c92a2a,stroke-width:2px
19
    style J fill:#d0f0c0,stroke:#5cb85c,stroke-width:2px

Access Control Matrix#

Component	Access Level	Storage Location	Backup Strategy
Root CA Key	Offline Only	Air-gapped system	Physical vault
Intermediate CA Key	Limited Access	Secure server	Encrypted backup
Server Keys	Service Access	Production servers	Automated backup
Public Certificates	Public	Web servers	Version control

Certificate Validation#

1
# Validate certificate chain
2
validate_cert_chain() {
3
    local cert=$1
4
    echo "Validating certificate: $cert"
5

6
    # Check certificate details
7
    openssl x509 -in "$cert" -text -noout
8

9
    # Verify chain
10
    openssl verify -CAfile ca/root-ca/root-ca.crt \
11
        -untrusted ca/intermediate-ca/intermediate-ca.crt \
12
        "$cert"
13
}
14

15
# Check expiration dates
16
check_expiration() {
17
    for cert in ca/certs/*.crt; do
18
        echo "Certificate: $cert"
19
        openssl x509 -enddate -noout -in "$cert"
20
    done
21
}

Integration with Applications#

Nginx Configuration#

1
server {
2
    listen 443 ssl;
3
    server_name example.com;
4

5
    ssl_certificate /path/to/ca/certs/example.com.chain.crt;
6
    ssl_certificate_key /path/to/ca/private/example.com.key;
7

8
    ssl_protocols TLSv1.2 TLSv1.3;
9
    ssl_ciphers HIGH:!aNULL:!MD5;
10
}

Apache Configuration#

1
<VirtualHost *:443>
2
    ServerName example.com
3

4
    SSLEngine on
5
    SSLCertificateFile /path/to/ca/certs/example.com.crt
6
    SSLCertificateKeyFile /path/to/ca/private/example.com.key
7
    SSLCertificateChainFile /path/to/ca/intermediate-ca/intermediate-ca.crt
8
</VirtualHost>

Troubleshooting#

Common Issues and Solutions#

Permission Denied

1
# Fix permissions
2
chmod 700 ca/private
3
chmod 400 ca/private/*.key

Certificate Verification Failed

1
# Check certificate chain
2
openssl crl2pkcs7 -nocrl -certfile certificate.chain.crt | \
3
  openssl pkcs7 -print_certs -text -noout

Key Mismatch

1
# Verify key matches certificate
2
openssl x509 -noout -modulus -in certificate.crt | openssl md5
3
openssl rsa -noout -modulus -in private.key | openssl md5

Automation and CI/CD Integration#

1
# Example GitHub Actions workflow
2
name: Certificate Management
3
on:
4
  schedule:
5
    - cron: "0 0 1 * *" # Monthly check
6
jobs:
7
  check-certificates:
8
    runs-on: ubuntu-latest
9
    steps:
10
      - uses: actions/checkout@v2
11
      - name: Check certificate expiration
12
        run: |
13
          ./scripts/check-cert-expiration.sh
14
      - name: Alert if expiring soon
15
        if: failure()
16
        uses: actions/github-script@v6
17
        with:
18
          script: |
19
            github.issues.create({
20
              owner: context.repo.owner,
21
              repo: context.repo.repo,
22
              title: 'Certificate expiration warning',
23
              body: 'One or more certificates will expire soon!'
24
            })

Conclusion#

This certificate authority setup tool provides a robust foundation for managing internal PKI infrastructure. By following the three-tier hierarchy and implementing proper security controls, you can maintain a professional-grade certificate management system suitable for development, testing, and internal production environments.

Remember to:

Keep the Root CA offline and secure
Regularly rotate server certificates
Monitor expiration dates
Maintain secure backups
Document your PKI policies and procedures

For production environments, consider using hardware security modules (HSMs) and implementing additional security measures based on your organization’s requirements.