This tool helps create a disposable PKI you can use for testing purposes, simply.
It generates a chain of X.509 certificates, up to a self-signed one.
RSA is used by default, EC is also supported.
Server certificate CN and SANs can be specified, along with various optional parameters.
./dispki.pl [-d|--depth <number>] [-b|--bits <number>] [-t|--ttl <number>] <server CN> [<server SANs>]
./dispki.pl [-d|--depth <number>] [-e|--ec] [-c|--curve <curve>] [-t|--ttl <number>] <server CN> [<server SANs>]
-d| --depth <number> -> number of intermediate CAs (default is none)
-b| --bits <number> -> key length in bits (for all key pairs, default is 2048)
-t| --ttl <number> -> TTL in days for all certificates (default is 365)
-e| --ec -> switch to elliptic curve cryptosystem
-c| --curve -> specify elliptic curve to use (default: P-256)
./dispki.pl bla.lu
This command creates a server certificate for CN bla.lu. *.bla.lu is
automatically added to the list of SANs.
Six files are produced:
0_rootca_1734329560.crt
0_rootca_1734329560.key
0_rootca_1734329560.req
1_server_1734329560.crt
1_server_1734329560.key
1_server_1734329560.req
These are organized as a sequence. In this case a chain was built with only 2 certificates. Root certificate has the lower index, 0. The leaf server certificate has indexed 1.
All files that belong to the same chain are suffixed by a common number that corresponds to the time (epoch format) when the chain was generated.
.req are OpenSSL's configurations that could be reused for manual adjustments
later on.
.crt & .key files are certificates and private keys, respectively.
Private keys file are not encrypted.
./dispki.pl -e -d 2 bla.lu bli.lu
Compared to previous command, this one adds bli.lu and *.bli.lu to the
list of SANs of the leaf server certificate.
In this case the chain was built with 2 additional intermediate certificates placed between leaf server certificate and self-signed root certificate. Root certificate has the lower index, 0. Intermediated certificate are indexed as 1 & 2. The leaf server certificate is indexed as 3.
0_rootca_1734300199.crt
0_rootca_1734300199.key
0_rootca_1734300199.req
1_intca_1734300199.crt
1_intca_1734300199.key
1_intca_1734300199.req
2_intca_1734300199.crt
2_intca_1734300199.key
2_intca_1734300199.req
3_server_1734300199.crt
3_server_1734300199.key
3_server_1734300199.req
All keypairs are EC based (-e).
A bundle file containing all CA certificates along with a file containing useful environment variables are created during the generation process:
ca_bundle_1734300199
env_1734300199
The env file can then be sourced in current shell in order to declare the following variables:
rootca_cert
server_cert
server_key
ca_bundle
These variables can, for instance, be used to start an SSL/TLS server listening on localhost port 443:
$ source env_1734300199
$ sudo -E socat openssl-listen:443,reuseaddr,cert=$server_cert,key=$server_key,cafile=$ca_bundle,verify=0,fork STDOUT
You can connect to the server using OpenSSL's s_client app from another shell:
$ source env_1734300199
$ openssl s_client -servername bla.lu -connect localhost:443 -verifyCAfile $rootca_cert
./clean.sh will delete all generated files.
- perl
- openssl